DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Red face secure ssh with public key

Hello,
i ve installed openbsd 4.3 on my laptop. (ip : 192.168.0.80)
i ve configure sshd_config :
...
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
...

i ve created a user : wesley with password
Open session with wesley and hit :
cd $HOME
ssh-keygen -t rsa -b 2048
cd .ssh
cat id_rsa >> authorized_keys
i ve copied the id_rsa on my usb key
logout

Open session with root to restart sshd

On an other computer (xp with putty)
i want to have ssh access on : 192.168.0.80
I have the following error :
Unable to use key file "f:\id_rsa.pub" (OpenSSH SSH2 Private key)

can you help me please.
thank's

Last edited by milo974; 4th July 2008 at 04:12 PM. Reason: error in hitting
Reply With Quote
  #2   (View Single Post)  
Old 4th July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

You need to provide the private key to putty, and the public key to OpenSSH.

So (if I have this right)

cat id_rsa.pub >> authorized_keys

and then specify the id_rsa file for putty

That said, I think that putty uses it's own format for ssh keys. I set this up using puttyen, available wherever good puttys are downloaded.. It produces the files as putty wants them, and provides the authorized_keys text for easy pasting.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #3   (View Single Post)  
Old 4th July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

General guideline for using public keys for authentication:
----

These are actually "key pairs" -- there are two halves which must be combined. Think of a lock that has two keyholes, where two different keys must be inserted and turned in order to open the lock.

There are two types of keys that make up a "key pair" -- a public key, and a private key. The public key is perfectly safe to send in-the-clear; via e-mail, posted on a web page, whatever. The private key should be kept private.

In actual practice with SSH between two people who wish to be client and server via SSH, and who are using public communication -- perhaps e-mail or instant messaging or text messages by cell phone, or shipping a diskette / CD / memory stick -- the person who will operate the client generates a key pair and sends the public "half" to the server administrator. No private information needs ever be sent via public methods at any time.

(If there is a private method for transferring private keys, then the key pair may be generated at the server or on an unrelated system.)

During authentication, the private key is used to generate an encrypted signature which can only be confirmed by decrypting with the public key. It proves that the sending station used the private key.

OpenSSH servers generate their own key pairs (on OpenBSD, in /etc/ssh) that are used to create a "fingerprint" which is used to confirm the server to clients. This fingerprint is stored in ~/.ssh/known_hosts for OpenSSH clients.
Reply With Quote
  #4   (View Single Post)  
Old 4th July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

thank's , i need puttygen, it works
Reply With Quote
  #5   (View Single Post)  
Old 5th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

For the archives: PuTTY doesn't use standard SSH keys. It uses it's own format. You have to convert (import SSH key into puttygen, save key to .ppk file) the OpenSSH keys in to PuTTY ppk files first. Just the private key. After that, you can connect via PuTTY using keys.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #6   (View Single Post)  
Old 7th July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

How can i remove prompte login and my passphrase ?
I ve tried to use ssh-add and ssh-agent (i ve read man page) but i don't understand how to use it...
thank's

Last edited by milo974; 7th July 2008 at 06:32 AM. Reason: more precision
Reply With Quote
  #7   (View Single Post)  
Old 7th July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

milo, we will need a little more information on what you have tried. ssh-agent is used to automatically provide the password to password-protected keys, and is not required unless you password-protect your ssh key.

Please tell us exactly what you want to achieve, and how you have attempted to achieve it.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #8   (View Single Post)  
Old 7th July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

when i'm connect by putty to my firewall openbsd, i ve :
login as:
Welcome to the most secure platform.
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":

I want to remove login and passphrase if it is possible...
If someone can help me.
thank's
Reply With Quote
  #9   (View Single Post)  
Old 7th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

In PuTTY, under the SSH -> Auth section, you can set the username to login as.

You *really*, really don't want to remove the passphrase from your key. If you do, and someone copies it, they will be able to login to your system without any passwords needed.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Old 7th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

You can use putty agent to remember the passphrase ... You would only need to use it once ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 8th July 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

I don't like using agent because if someone hacks into your client account, the hacker can login into your firewall automatically. Passphrase adds that extra layer of security. Yes I'm paranoid when it comes to security.
Reply With Quote
Old 9th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by revzalot View Post
I don't like using agent because if someone hacks into your client account, the hacker can login into your firewall automatically. Passphrase adds that extra layer of security. Yes I'm paranoid when it comes to security.
Only if he hacks in while you are logged in, and have the agent running. If the agent isn't running, then he would still have to crack the passphrases on your keys.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec Tunnel - no public key found mikesg OpenBSD Security 4 7th October 2009 05:49 AM
Howto: Setting up public key password-less 'ssh' access J65nko Guides 4 31st August 2008 04:49 PM
Apache on two servers but one public IP marco64 General software and network 2 4th June 2008 07:29 PM
OS to run in a public computer? Sunnz Off-Topic 31 23rd May 2008 05:47 PM


All times are GMT. The time now is 04:42 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick