DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default Using public keys for SSH authentication

Got a question regarding authentication using public key on openBSD 4.9. SSHd is on BSD and I am using a MAC OSX 5.4 to access SSHd server.

So I created a 2048 bit RSA key using ssh-keygen. I placed the .pub key on the openBSD SSHD server by using
Code:
scp ~/.ssh/id_rsa.pub root@192.168.3.2:
I know, I know using root is terrible.

I ran chmod 600 on id_rsa.pub and moved .pub file on BSD box(I now realize I should have ran chmod 600 after moving file)
Code:
mv /id_rsa.pub /etc/.ssh/authorized_keys
I then modified the /etc/sshd_config on BSD box by removing the "#" and changing "yes" to "no"
Code:
#PasswordAuthentication yes (removed this line)
PasswordAuthentication no (added this line)
Already enabled, no changes made for publickey:
Code:
#publickeyauthentication yes
sshd_config files says to leave "#" on each line unless you change the default value. Only value I changed was PasswordAuthentication from yes to no.

Was able to log in using password before but now can't seem to log in. I did a good amount of research to get this far but now I am stuck. Any ideas what may be preventing me from logging in?

Error is:
Code:
user$ssh root@192.168.3.2
Permission denied (publickey,keyboard-interactive).

Last edited by amrogers3; 11th November 2011 at 05:02 PM. Reason: corrected ssh-keygen
Reply With Quote
  #2   (View Single Post)  
Old 11th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,661
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by amrogers3 View Post
So I created a 2048 bit RSA key using key_gen.
I don't know "key_gen" -- but whatever it is, it may require you to use it with an option in to create keys in OpenSSH format. There are other SSH servers, and OpenSSH may not be the default. Check by comparing the contents of a .pub file generated by "key_gen" with one you create using ssh-keygen(1). Different file format, or the same?

Another possibility: PermitRootLogin may be set to no. See sshd_config(5).

Of course you have already done a # ls -l /root/.ssh to confirm the file is in the right place with the right permissions?

Edited to add:

And on the client, you've also examined $HOME/.ssh to ensure both key files are in place, with the right permissions?

Last edited by jggimi; 11th November 2011 at 04:59 PM. Reason: check client too
Reply With Quote
  #3   (View Single Post)  
Old 11th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

My apologies that should have been ssh-keygen.

Root was default set to yes. I have been using root to log in via password authentication.

I'll run chmod 600 on .ssh and on .ssh/authorized_keys when I get home and report back.
Reply With Quote
  #4   (View Single Post)  
Old 11th November 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,067
Thanked 198 Times in 156 Posts
Default

You can start the ssh client with the -v option to get more information, you can specify it up to three times (-vvv), each will give you more information.

This is often useful to see *why* permission was denied.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Last edited by Carpetsmoker; 13th November 2011 at 10:20 PM.
Reply With Quote
  #5   (View Single Post)  
Old 13th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

I chmod 600 /etc/skel/.ssh

Also, root login is enabled.

Alright, I think I found issue. Using -v:
Code:
user1s-MacBook-Pro-15:~ user1$ ssh -v root@192.168.103.2
OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 192.168.103.2 [192.168.103.2] port 22.
debug1: Connection established.
debug1: identity file /Users/user1/.ssh/identity type -1
debug1: identity file /Users/user1/.ssh/id_rsa type 1
debug1: identity file /Users/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.103.2' is known and matches the RSA host key.
debug1: Found key in /Users/user1/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/user1/.ssh/identity
debug1: Offering public key: /Users/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user1/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
My private key on my mac is in /Users/user1/.ssh/id_rsa not id_dsa.
  • How can I specify the file path "/Users/user1/.ssh/id_rsa"?
  • Do I need to create the key with the user I am trying to log in with?
  • Do I need to create keys on the SSHd server (openBSD) or the remote machine (my mac) or does that matter?

Last edited by ocicat; 13th November 2011 at 12:35 AM. Reason: Please use [code] & [/code] tags when posting command output.
Reply With Quote
  #6   (View Single Post)  
Old 13th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,661
Thanked 214 Times in 189 Posts
Default

I think you need -vv, or perhaps you need to look at /var/log/authlog on the host for additional information. It appears that the RSA key was offered but authentication could not be made. See two lines above your highlighting.
Reply With Quote
  #7   (View Single Post)  
Old 13th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
I think you need -vv, or perhaps you need to look at /var/log/authlog on the host for additional information. It appears that the RSA key was offered but authentication could not be made. See two lines above your highlighting.
I am not sure why it is offering the .pub key. That key was copied over to the server. Or I guess the it's the server offering the public key? I can't differentiate which line belongs to which host.
  • Do I need to create the key with the user I am trying to log in with (i.e. create with root user)? (I created the keys with a regular user on my mac)
  • Do I need to create keys on the SSHd server (openBSD) or the remote machine (my mac) or does that matter?
Reply With Quote
  #8   (View Single Post)  
Old 13th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

You create the keys on the workstation that will be logging in to the server. The keys are a pair: a private one, and a public one.

The public "workstation" key has to be copied/inserted to/into the "authorized_keys" file of the account/home directory on the server.

Edit: Also see Howto: Setting up public key password-less 'ssh' access
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th November 2011 at 11:38 AM. Reason: Clarification
Reply With Quote
  #9   (View Single Post)  
Old 13th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

check and check, did that. Created keys on workstation and copied public key to server under .ssh/authorized_keys

Thanks for link, I searched for a how-to and never ran across that article. I'll check it out and see if there is something I missed.
Reply With Quote
Old 13th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

If you want to ssh/login to the root account of the server, the public key has to be in the "root's" home directory. On most systems this will be "/root/.ssh".

You did :
Quote:
Code:
mv /id_rsa.pub /etc/.ssh/authorized_keys
That should have been:
Code:
mv /id_rsa.pub /root/.ssh/authorized_keys

Of course, this will wipe out an already existing authorized_keysSo this is not so smart if there already is such a file.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th November 2011 at 11:49 AM.
Reply With Quote
Old 13th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
If you want to ssh/login to the root account of the server, the public key has to be in the "root's" home directory. On most systems this will be "/root/.ssh".

You did :
That should have been:
Code:
mv /id_rsa.pub /root/.ssh/authorized_keys

Of course, this will wipe out an already existing authorized_keysSo this is not so smart if there already is such a file.
Spot on, that worked! Thank you J65nko! So the key has to be in the home folder of the user you are trying to connect with. Got it.

Okay so now I have to enter a password for the private key so I can connect. Next step is I would like to be able to connect with no password.

I am not noticing the same behavior as your example:
Code:
The authenticity of host '192.168.222.44 (192.168.222.44)' can't be established.
RSA key fingerprint is 1a:1f:ab:96:c7:ad:1a:3f:9c:e8:2d:73:0f:28:98:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.44' (RSA) to the list of known hosts.
j65nko@192.168.222.44's password: .......
I type
Code:
$ssh root@192.168.1.2
and I am asked for a password and then logged onto server, no further text is displayed.
Reply With Quote
Old 13th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

You will not be asked for a passphrase if you don't specify one during the ssh-keygen dialogue.

Please read Generate public and private RSA key pair with 'ssh-keygen' how to generate a key without being prompted for this passphrase.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th November 2011 at 11:41 PM.
Reply With Quote
Old 14th November 2011
amrogers3 amrogers3 is offline
Port Guard
 
Join Date: Oct 2011
Posts: 20
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
You will not be asked for a passphrase if you don't specify one during the ssh-keygen dialogue.

Please read Generate public and private RSA key pair with 'ssh-keygen' how to generate a key without being prompted for this passphrase.
Ahhhh, I thought it was a sshd_config change. You are most helpful. I have been messing with SSH for days trying to get it to work.

Again, thank you very much!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ncurses & function keys JimC OpenBSD General 1 24th October 2011 02:36 PM
NTLM Authentication plexter FreeBSD Security 1 7th January 2011 08:43 PM
Creative uses for SSH and SSH keys backrow Off-Topic 1 21st June 2010 01:09 AM
Generating keys from radio echoes J65nko News 0 4th March 2010 06:37 PM
arrow keys in X idefix FreeBSD General 8 25th September 2009 08:16 AM


All times are GMT. The time now is 02:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick