Re: [Hampshire] SSH pain
2009/2/9 Paul Stimpson : > Hi, > > Thanks. That was it. I'd not put the key in authorized_keys properly and, > when I did, sshd was refusing to open it because the permissions on the > users's home were too lax (it was group writable). > I've been bitten by that one before as well. Trouble is, sshd is pretty reticent about the issue so it can be quite hard to determine just what the problem is. I probably should not say this but I have sometimes been (too?) relaxed about group permissions on a box , since usually I am the only user. In fact I wonder if the 'user/group/world' permission model that has been there since the start of the epoch is actually a bit anachronistic. These days I can believe that there are assorted daemons who'd each like a slice of some hardware resource, and so some sharing/locking structure is appropriate, but how many PC's have multiple different human users with conflicting, overlapping access rights such that I and my alter ego can share some things, keep some things to ourselves, but hide others from other alter egos? -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
Hi, Thanks. That was it. I'd not put the key in authorized_keys properly and, when I did, sshd was refusing to open it because the permissions on the users's home were too lax (it was group writable). Cheers, Paul. Sent from my BlackBerry® wireless device -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
Paul Stimpson wrote: > Hi, > > I've been using SSH2 to log into my home server for so long I can't remember > exactly what I did to set it up. Yesterday I added a new user to the server > and I want then to be able to use SFTP. > > I created a new user and generated new new id_rsa and id_rsa.pub files (tried > several variants of ssh-keygen -t rsa). I added the username to the > AllowUsers directive in /etc/ssh/sshdconfig and copied the id_rsa file over > to my laptop and put it in a new user's .ssh directory. > > If I try to log in using ssh ip.address.of.machine -p -l username -v > using the wrong username it goes through verifying the server's fingerprint > then bombs, as expected, and an invalid login attempt is written to > /var/log/auth.log. If I try with the correct username it goes through the > process, the client offers the key then says which auth methods can continue > before trying some more and failing. In this case, nothing gets written to > /var/log/auth.log. My existing id_rsa for my own account still works. > > I'm sure I've done something silly. I think I regenerated all or most of the > keys after the dodgy key panic last year. I would be really grateful for any > pointers that might get me closer to the solution. > > Thanks, > Paul. > Check the permissions and ownership of the newly copied/created files. Incorrect permissions will give similar errors to yours. Simon C. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
Paul Stimpson wrote: > Hi, > > I've been using SSH2 to log into my home server for so long I can't remember > exactly what I did to set it up. Yesterday I added a new user to the server > and I want then to be able to use SFTP. > > I created a new user and generated new new id_rsa and id_rsa.pub files (tried > several variants of ssh-keygen -t rsa). I added the username to the > AllowUsers directive in /etc/ssh/sshdconfig and copied the id_rsa file over > to my laptop and put it in a new user's .ssh directory. > > If I try to log in using ssh ip.address.of.machine -p -l username -v > using the wrong username it goes through verifying the server's fingerprint > then bombs, as expected, and an invalid login attempt is written to > /var/log/auth.log. If I try with the correct username it goes through the > process, the client offers the key then says which auth methods can continue > before trying some more and failing. In this case, nothing gets written to > /var/log/auth.log. My existing id_rsa for my own account still works. > > I'm sure I've done something silly. I think I regenerated all or most of the > keys after the dodgy key panic last year. I would be really grateful for any > pointers that might get me closer to the solution. > Sent from my BlackBerry® wireless device The safest way to do this is to use ssh-keygen to create the directory structure in the new users home directory after adding the user. Logon to the destination server. $ sudo useradd newuser1 $ sudo passwd newuser1 Changing password for user newuser1. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. $ su - newuser1 Password: $ ls -al total 32 drwx-- 4 newuser1 newuser1 4096 2009-02-08 14:17 . drwxr-xr-x 6 root root 4096 2009-02-08 14:16 .. -rw-r--r-- 1 newuser1 newuser1 18 2008-12-15 11:04 .bash_logout -rw-r--r-- 1 newuser1 newuser1 176 2008-12-15 11:04 .bash_profile -rw-r--r-- 1 newuser1 newuser1 124 2008-12-15 11:04 .bashrc If already created before, remove .ssh directory if you already have one $ rm -rf .ssh $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/newuser1/.ssh/id_dsa): Created directory '/home/newuser1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/newuser1/.ssh/id_dsa. Your public key has been saved in /home/newuser1/.ssh/id_dsa.pub. The key fingerprint is: The key's randomart image is: +--[ DSA 1024]+ | | | | | . | |. o | |+ o o S| |oo. + +. | |*..+ o. | |B+ .o.. | |*E. oo | +-+ $ ls -al total 36 drwx-- 5 newuser1 newuser1 4096 2009-02-08 14:17 . drwxr-xr-x 6 root root 4096 2009-02-08 14:16 .. -rw-r--r-- 1 newuser1 newuser1 18 2008-12-15 11:04 .bash_logout -rw-r--r-- 1 newuser1 newuser1 176 2008-12-15 11:04 .bash_profile -rw-r--r-- 1 newuser1 newuser1 124 2008-12-15 11:04 .bashrc drwx-- 2 newuser1 newuser1 4096 2009-02-08 14:17 .ssh $ ls -al .ssh total 16 drwx-- 2 newuser1 newuser1 4096 2009-02-08 14:17 . drwx-- 5 newuser1 newuser1 4096 2009-02-08 14:17 .. -rw--- 1 newuser1 newuser1 668 2009-02-08 14:17 id_dsa -rw-r--r-- 1 newuser1 newuser1 634 2009-02-08 14:17 id_dsa.pub This has now created the directory structure with the correct permissions. Now go to the computer you want to logon from. You will need openssh-clients package installed $ which ssh-copy-id /usr/bin/ssh-copy-id $ rpm -qf /usr/bin/ssh-copy-id openssh-clients-5.1p1-3.fc10.i386 Create the new keys and copy the Public key to destination server. $ ssh-keygen -t dsa $ssh-copy-id -i .ssh/id_dsa.pub destserver (or ssh-copy-id -i .ssh/id_dsa.pub 172.168.1.201) Now you should be able to logon ssh destserver John. P.S. SSH2 is strictly the propriety SSH v2 and not openssh v2 (they use different key formats and are not compatiable. You can convert from one to the other using openssh tools). -- -- Discover Linux - Open Source Solutions to Business and Schools http://discoverlinux.co.uk -- -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
On Sunday 08 Feb 2009, Victor Churchill wrote: > It's the id_rsa.pub key that you need to copy to the target machine. That would do it, copy the wrong bit and it doesn't work! There is a nice SSH command to copy the bits for you: ssh-copy-id which does all the right things and stops you from making errors. Like you SSH is something I do and forget, so it's sometimes hard to remember what to do as it just works once it's all set up. Perhaps there is something to Windows, all the reinstalling means you get really good at setting things up! -- Adam Trickett Overton, HANTS, UK In the field of observation, chance favours only the prepared minds. -- Louis Pasteur signature.asc Description: This is a digitally signed message part. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
Paul Stimpson wrote: > I've been using SSH2 to log into my home server > for so long I can't remember exactly what I did > to set it up. Yesterday I added a new user to > the server and I want then to be able to use > SFTP. > > I created a new user and generated new new > id_rsa and id_rsa.pub files (tried several > variants of ssh-keygen -t rsa). I added the > username to the AllowUsers directive in > /etc/ssh/sshdconfig and copied the id_rsa file > over to my laptop and put it in a new user's > .ssh directory. Couple of immediate notes... - You need to copy the ssh_host_[rd]sa.pub key to the client, not the user's key. You probably have already done this. - You'll need to create keys for the new user on the laptop, then copy the id_[rd]sa.pub to the server, and put them in ~/.ssh/authorized_keys In the SSH protocol, the client checks the authenticity of the server with the ssh_host_[rd]sa keys, then the server checks the user's authenticity with the id_[rd]sa keys. Beyond that, looking at the server's sshd_config and the client's ssh_config would be useful. Nick. -- Nick Chalk . once a Radio Designer Confidence is failing to understand the problem. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
It's the id_rsa.pub key that you need to copy to the target machine. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] SSH pain
On Sunday 08 Feb 2009, Paul Stimpson wrote: > Hi, > > I've been using SSH2 to log into my home server for so long I can't > remember exactly what I did to set it up. Yesterday I added a new user to > the server and I want then to be able to use SFTP. > > I'm sure I've done something silly. I think I regenerated all or most of > the keys after the dodgy key panic last year. I would be really grateful > for any pointers that might get me closer to the solution. If you can, I find running the SSH daemon manually in the foreground on the server with debugging turned on, then trying to connect from the client also with verbose options usually reveals the problem on one system or the other. In my case it's usually incorrect permissions on the .ssh directory that does it or something similar. -- Adam Trickett Overton, HANTS, UK Reality leaves a lot to the imagination. -- John Lennon signature.asc Description: This is a digitally signed message part. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] SSH pain
Hi, I've been using SSH2 to log into my home server for so long I can't remember exactly what I did to set it up. Yesterday I added a new user to the server and I want then to be able to use SFTP. I created a new user and generated new new id_rsa and id_rsa.pub files (tried several variants of ssh-keygen -t rsa). I added the username to the AllowUsers directive in /etc/ssh/sshdconfig and copied the id_rsa file over to my laptop and put it in a new user's .ssh directory. If I try to log in using ssh ip.address.of.machine -p -l username -v using the wrong username it goes through verifying the server's fingerprint then bombs, as expected, and an invalid login attempt is written to /var/log/auth.log. If I try with the correct username it goes through the process, the client offers the key then says which auth methods can continue before trying some more and failing. In this case, nothing gets written to /var/log/auth.log. My existing id_rsa for my own account still works. I'm sure I've done something silly. I think I regenerated all or most of the keys after the dodgy key panic last year. I would be really grateful for any pointers that might get me closer to the solution. Thanks, Paul. Sent from my BlackBerry® wireless device -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] SSH pain
Hi, I've been using SSH2 to log into my home server for so long I can't remember exactly what I did to set it up. Yesterday I added a new user to the server and I want then to be able to use SFTP. I created a new user and generated new new id_rsa and id_rsa.pub files (tried several variants of ssh-keygen -t rsa). I added the username to the AllowUsers directive in /etc/ssh/sshdconfig and copied the id_rsa file over to my laptop and put it in a new user's .ssh directory. If I try to log in using ssh ip.address.of.machine -p -l username -v using the wrong username it goes through verifying the server's fingerprint then bombs, as expected, and an invalid login attempt is written to /var/log/auth.log. If I try with the correct username it goes through the process, the client offers the key then says which auth methods can continue before trying some more and failing. In this case, nothing gets written to /var/log/auth.log. My existing id_rsa for my own account still works. I'm sure I've done something silly. I think I regenerated all or most of the keys after the dodgy key panic last year. I would be really grateful for any pointers that might get me closer to the solution. Thanks, Paul. Sent from my BlackBerry® wireless device -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --