Using public keys for SSH authentication

[amrogers3]

Got a question regarding authentication using public key on openBSD 4.9. SSHd is on BSD and I am using a MAC OSX 5.4 to access SSHd server.

So I created a 2048 bit RSA key using ssh-keygen. I placed the .pub key on the openBSD SSHD server by using

Code:

scp ~/.ssh/id_rsa.pub root@192.168.3.2:

I know, I know using root is terrible.

I ran chmod 600 on id_rsa.pub and moved .pub file on BSD box(I now realize I should have ran chmod 600 after moving file)

Code:

mv /id_rsa.pub /etc/.ssh/authorized_keys

I then modified the /etc/sshd_config on BSD box by removing the "#" and changing "yes" to "no"

Code:

#PasswordAuthentication yes (removed this line)
PasswordAuthentication no (added this line)

Already enabled, no changes made for publickey:

Code:

#publickeyauthentication yes

sshd_config files says to leave "#" on each line unless you change the default value. Only value I changed was PasswordAuthentication from yes to no.

Was able to log in using password before but now can't seem to log in. I did a good amount of research to get this far but now I am stuck. Any ideas what may be preventing me from logging in?

Error is:

Code:

user$ssh root@192.168.3.2
Permission denied (publickey,keyboard-interactive).

[jggimi]

Quote:

Originally Posted by amrogers3

So I created a 2048 bit RSA key using key_gen.

I don't know "key_gen" -- but whatever it is, it may require you to use it with an option in to create keys in OpenSSH format. There are other SSH servers, and OpenSSH may not be the default. Check by comparing the contents of a .pub file generated by "key_gen" with one you create using ssh-keygen(1). Different file format, or the same?

Another possibility: PermitRootLogin may be set to no. See sshd_config(5).

Of course you have already done a # ls -l /root/.ssh to confirm the file is in the right place with the right permissions?

Edited to add:

And on the client, you've also examined $HOME/.ssh to ensure both key files are in place, with the right permissions?

[amrogers3]

My apologies that should have been ssh-keygen.

Root was default set to yes. I have been using root to log in via password authentication.

I'll run chmod 600 on .ssh and on .ssh/authorized_keys when I get home and report back.

[Carpetsmoker]

You can start the ssh client with the -v option to get more information, you can specify it up to three times (-vvv), each will give you more information.

This is often useful to see *why* permission was denied.

[amrogers3]

I chmod 600 /etc/skel/.ssh

Also, root login is enabled.

Alright, I think I found issue. Using -v:

Code:

user1s-MacBook-Pro-15:~ user1$ ssh -v root@192.168.103.2
OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 192.168.103.2 [192.168.103.2] port 22.
debug1: Connection established.
debug1: identity file /Users/user1/.ssh/identity type -1
debug1: identity file /Users/user1/.ssh/id_rsa type 1
debug1: identity file /Users/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.103.2' is known and matches the RSA host key.
debug1: Found key in /Users/user1/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/user1/.ssh/identity
debug1: Offering public key: /Users/user1/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user1/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.

My private key on my mac is in /Users/user1/.ssh/id_rsa not id_dsa.

• How can I specify the file path "/Users/user1/.ssh/id_rsa"?
• Do I need to create the key with the user I am trying to log in with?
• Do I need to create keys on the SSHd server (openBSD) or the remote machine (my mac) or does that matter?

[jggimi]

I think you need -vv, or perhaps you need to look at /var/log/authlog on the host for additional information. It appears that the RSA key was offered but authentication could not be made. See two lines above your highlighting.

[amrogers3]

Quote:

Originally Posted by jggimi

I think you need -vv, or perhaps you need to look at /var/log/authlog on the host for additional information. It appears that the RSA key was offered but authentication could not be made. See two lines above your highlighting.

I am not sure why it is offering the .pub key. That key was copied over to the server. Or I guess the it's the server offering the public key? I can't differentiate which line belongs to which host.

• Do I need to create the key with the user I am trying to log in with (i.e. create with root user)? (I created the keys with a regular user on my mac)
• Do I need to create keys on the SSHd server (openBSD) or the remote machine (my mac) or does that matter?

[J65nko]

You create the keys on the workstation that will be logging in to the server. The keys are a pair: a private one, and a public one.

The public "workstation" key has to be copied/inserted to/into the "authorized_keys" file of the account/home directory on the server.

Edit: Also see Howto: Setting up public key password-less 'ssh' access

[amrogers3]

check and check, did that. Created keys on workstation and copied public key to server under .ssh/authorized_keys

Thanks for link, I searched for a how-to and never ran across that article. I'll check it out and see if there is something I missed.

[J65nko]

If you want to ssh/login to the root account of the server, the public key has to be in the "root's" home directory. On most systems this will be "/root/.ssh".

You did :

Quote:

Code:

mv /id_rsa.pub /etc/.ssh/authorized_keys

That should have been:

Code:

mv /id_rsa.pub /root/.ssh/authorized_keys

Of course, this will wipe out an already existing authorized_keysSo this is not so smart if there already is such a file.

[amrogers3]

Quote:

Originally Posted by J65nko

If you want to ssh/login to the root account of the server, the public key has to be in the "root's" home directory. On most systems this will be "/root/.ssh".

You did :
That should have been:

Code:

mv /id_rsa.pub /root/.ssh/authorized_keys

Of course, this will wipe out an already existing authorized_keysSo this is not so smart if there already is such a file.

Spot on, that worked! Thank you J65nko! So the key has to be in the home folder of the user you are trying to connect with. Got it.

Okay so now I have to enter a password for the private key so I can connect. Next step is I would like to be able to connect with no password.

I am not noticing the same behavior as your example:

Code:

The authenticity of host '192.168.222.44 (192.168.222.44)' can't be established.
RSA key fingerprint is 1a:1f:ab:96:c7:ad:1a:3f:9c:e8:2d:73:0f:28:98:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.44' (RSA) to the list of known hosts.
j65nko@192.168.222.44's password: .......

I type

Code:

$ssh root@192.168.1.2

and I am asked for a password and then logged onto server, no further text is displayed.

[J65nko]

You will not be asked for a passphrase if you don't specify one during the ssh-keygen dialogue.

Please read Generate public and private RSA key pair with 'ssh-keygen' how to generate a key without being prompted for this passphrase.

[amrogers3]

Quote:

Originally Posted by J65nko

You will not be asked for a passphrase if you don't specify one during the ssh-keygen dialogue.

Please read Generate public and private RSA key pair with 'ssh-keygen' how to generate a key without being prompted for this passphrase.

Ahhhh, I thought it was a sshd_config change. You are most helpful. I have been messing with SSH for days trying to get it to work.

Again, thank you very much!