Topic: confused about ssh options

[isaac van den berg]

I'm a newby on security and am confused about the two secure shell (ssh) access options:
1: Allow administrative command line access over ssh
2: Allow ssh access using standard passwords

I've tried to enable option 1 but when i try to login as root with putty, the access is denied (password rejected). I have to enable option 2 to do this. Option 2 sounds more insecure however.

Should i do something extra or is option 2 come practice to log in as root remotely.

tia isaac

[Rich Lafferty]

Well, if you want to login as root remotely using a password, you have
to enable password-based ssh access (option 2). If you want to allow
remote ssh access but force users to use SSH keys instead of passwords,
keep option 2 disabled and generate yourself a key.

Key generation is explained nicely here:

http://www.arches.uga.edu/~pkeck/ssh/

although I'd recommend copying the public key to the remote system and
*appending* it to authorized_keys2, rather than overwriting the file with
scp, if you already have keys in it.

Cheers,
--Rich

[robert]

I believe all keys go in authorized_keys these days, and authorized_keys2 is deprecated. Real nice that they keep changing this stuff.
Also have a look at the man page for ssh-keygen. The format of the public key as exported by many standard ssh clients is slightly different from what the ssh server on your SME server expects. You can use the -i option (used to be the -X option) for ssh-keygen to import these keys into your authorized_keys file.
There are some contributed howtos about ssh which I'm sure will explain these things in more detail.

[Isaac]

thanx for the input

I tried to generate rsa keys both through putty and ssh-gen. I'm making a fundamental mistake though since everytime i try to login i get the message:
 
- Key is of wrong type (PuTTY SSH2 private key)
Or
- Key is of wrong type (PuTTY Open SSH private key)

I understand that i have to copy the private key to my local pc and move the public key into authorized_keys2  (or authorized_keys).

this is what i did:

on e-smith 5.12:
# ssh-keygen -b 1024 -t rsa
# mv rsa_key.pub authorized_keys2

on windooze:
c:\temp> pscp -unsafe root@smitje:/root/.ssh/rsa_key private.txt
i than imported this textfile in puttygen and saved it as a putty key (type rsa 2) without making any changes. At login this results in: Key is of wrong type (PuTTY SSH2 private key).

I also tried to let puttygen generate all the keys. Then i selected the (public)keystring in puttygen and pasted it in vi (on e-smith) and saved this files as authorized_keys2.  

I also tried to copy authorized_keys2 to authorized_keys.
Same effect though.........

I'm at a loss

Isaac

[robert]

You don't want to run ssh-keygen as root on your ssh-server. Doing so will regenerate your master ssh keys and that's not what you want. Master key generation is done automatically when you set up ssh on your server.
Running ssh-keygen as a regular user on your ssh server will generate keys that you can use to authenticate to other ssh servers when you run an ssh client on your SME server. That is also not what you want in this case.
You should generate a key pair on your client machine. Let's say the public key exported by your ssh client is called pubkey. Copy pubkey to your SME server. Then run:
ssh-keygen -i -f pubkey >> ~/.ssh/authorized_keys
Make sure authorized_keys has permissions set to 600 or it won't work.
Instruct your ssh client to use the private key for authentication.

But please don't connect to the ssh server as root. Give a regular user a bash shell and connect as that user. The following command (run as root) will give user isaac a bash shell:
chsh -s /bin/bash isaac

Cheers,
Robert

[Isaac]

robert wrote:
> You don't want to run ssh-keygen as root on your ssh-server.
I already did this...

> You should generate a key pair on your client machine. Let's
> say the public key exported by your ssh client is called
> pubkey. Copy pubkey to your SME server. Then run:
> ssh-keygen -i -f pubkey >> ~/.ssh/authorized_keys
I did this (as root) to /root/.ssh

> Make sure authorized_keys has permissions set to 600 or it
> won't work.
Did this also

> Instruct your ssh client to use the private key for
> authentication.
I'm using putty, for this i made a conversion from oSSH to Putty format

> But please don't connect to the ssh server as root.
Now i'm really confused, this what it was all about??????
I want to remotely administer this server with root access.

> regular user a bash shell and connect as that user. The
> following command (run as root) will give user isaac a bash
> shell:
> chsh -s /bin/bash isaac

I su-ed to isaac and created keys in the e-smith home dir.
cmod 600 everything and
then scp-d the id_rsa to windooz.

if i start putty with this file a get:
Trying public key authentication.
Key is of wrong type (OpenSSH SSH2 private key)

When i converse id_rsa to Putty i get:
Trying public key authentication.
Key is of wrong type (PuTTY SSH2 private key)

I've read quite some tips and howto's and i cannot think of anything i'm doing wrong her. I'm using
- e-smith 5.12 (ssh_1.99-OpenSSH_3.1p1)
- puTTY 0.53b

Thanx for any input....

Isaac

[robert]

Isaac wrote:
>
> robert wrote:
> > You don't want to run ssh-keygen as root on your ssh-server.
> I already did this...
>
Doesn't really matter, just don't do it again.

> > You should generate a key pair on your client machine. Let's
> > say the public key exported by your ssh client is called
> > pubkey. Copy pubkey to your SME server. Then run:
> > ssh-keygen -i -f pubkey >> ~/.ssh/authorized_keys
> I did this (as root) to /root/.ssh
>
> > Make sure authorized_keys has permissions set to 600 or it
> > won't work.
> Did this also
>
> > Instruct your ssh client to use the private key for
> > authentication.
> I'm using putty, for this i made a conversion from oSSH to
> Putty format
>
> > But please don't connect to the ssh server as root.
> Now i'm really confused, this what it was all about??????
> I want to remotely administer this server with root access.
>
You can connect through ssh as regular user isaac, then su to root.
 
> > regular user a bash shell and connect as that user. The
> > following command (run as root) will give user isaac a bash
> > shell:
> > chsh -s /bin/bash isaac
>
> I su-ed to isaac and created keys in the e-smith home dir.
> cmod 600 everything and
> then scp-d the id_rsa to windooz.
>
Don't chmod 600 everything. If you chmod 600 the .ssh directory, the files in it will be unreadable. Just chmod 600 ~/.ssh/authorized_keys.
Don't copy id_rsa to windows. You copied your putty public key to SME. Now you should use the putty private key on your windows machine.


> if i start putty with this file a get:
> Trying public key authentication.
> Key is of wrong type (OpenSSH SSH2 private key)
>
> When i converse id_rsa to Putty i get:
> Trying public key authentication.
> Key is of wrong type (PuTTY SSH2 private key)
>
> I've read quite some tips and howto's and i cannot think of
> anything i'm doing wrong her. I'm using
> - e-smith 5.12 (ssh_1.99-OpenSSH_3.1p1)
> - puTTY 0.53b
>
> Thanx for any input....
>
> Isaac

So, to recap:

1.) Let putty generate a public/private keypair. Let's say the public key it generates is called pubkey and the private key is privkey. I don't use putty that often, so I don't know the real names.
2.) Give isaac a bash shell on your SME server.
3.) Copy the pubkey that putty generated to your SME server. Let's say you copy it to /home/e-smith/files/users/isaac/home/pubkey
4.) Log in on SME as isaac.
5.) Make sure you have a directory called .ssh. If not, mkdir one.
6.) ssh-keygen -i -f home/pubkey >> .ssh/authorized_keys
7.) chmod 600 .ssh/authorized_keys
8.) Instruct putty to use privkey (the one putty generated) for authentication.
9.) It should work now.

[Isaac]

robert wrote:
> So, to recap:
>
> 1.) Let putty generate a public/private keypair. Let's say
> the public key it generates is called pubkey and the private
> key is privkey. I don't use putty that often, so I don't know
> the real names.
> 2.) Give isaac a bash shell on your SME server.
> 3.) Copy the pubkey that putty generated to your SME server.
> Let's say you copy it to
> /home/e-smith/files/users/isaac/home/pubkey
> 4.) Log in on SME as isaac.
> 5.) Make sure you have a directory called .ssh. If not, mkdir
> one.
> 6.) ssh-keygen -i -f home/pubkey >> .ssh/authorized_keys
> 7.) chmod 600 .ssh/authorized_keys
> 8.) Instruct putty to use privkey (the one putty generated)
> for authentication.
> 9.) It should work now.

Nope, although something changed; the error is now:

Server refused our key

Further 1:
> Let's say you copy it to
> /home/e-smith/files/users/isaac/home/pubkey
I just saw that ssh-keygen generates
    /home/e-smith/files/users/isaac/.ssh
as default

Further 2:
This is the last error in the ssh-log:

[20/Nov/2002 05:03:51 01297] [info]  Init: Configuring server secure.buronet.nl:443 for SSL protocol
[20/Nov/2002 05:03:51 01297] [warn]  Init: (secure.buronet.nl:443) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[20/Nov/2002 05:03:51 01297] [warn]  Init: (secure.buronet.nl:443) RSA server certificate CommonName (CN) buronet.nl' does NOT match server name!?

Maybe i should reinstall e-smith (wanted to upgrade to 5.5 anyway).

Isaac

[robert]

The SSL warning has nothing to do with your SSH problem.
Maybe you need to clean out your authorized_keys file. So instead of appending the putty key to authorized_keys, try overwriting it:
ssh-keygen -i -f home/pubkey > .ssh/authorized_keys
where home/pubkey is the path to the public key that putty generated and that you copied over to the server.
Also, are you sure you're using the correct passphrase? You need to use the passphrase you entered when you ran the putty keygen program on your windows machine, not any other passphrase you may have entered when you ran ssh-keygen on your SME server.

[Isaac]

robert wrote:
> Maybe you need to clean out your authorized_keys file. So
> instead of appending the putty key to authorized_keys, try
> overwriting it:

> ssh-keygen -i -f home/pubkey > .ssh/authorized_keys
> where home/pubkey is the path to the public key that putty
i did not have the entire directory since ssh_keygen used another default path
i.e ~/.ssh (instead of ~/home/.ssh)

> Also, are you sure you're using the correct passphrase?
key gen does not ask the frase, i thought it's only used in the private key?

further:
I never come to using the phrase since the key is refused before this, so i've never specified the phrase when starting an ssh session with putty.

I retried creating keys on e-smith in the paths you specified. Then after copying the private key to windows, putty asks the phrase. I've become quite an expert in this but alas does not bring me any further. I think a i'll reinstall the server

Sigh... Isaac

[robert]

Isaac wrote:
>
> robert wrote:
> > Maybe you need to clean out your authorized_keys file. So
> > instead of appending the putty key to authorized_keys, try
> > overwriting it:
>
> > ssh-keygen -i -f home/pubkey > .ssh/authorized_keys
> > where home/pubkey is the path to the public key that putty
> i did not have the entire directory since ssh_keygen used
> another default path
> i.e ~/.ssh (instead of ~/home/.ssh)
>
> > Also, are you sure you're using the correct passphrase?
> key gen does not ask the frase, i thought it's only used in
> the private key?
>
> further:
> I never come to using the phrase since the key is refused
> before this, so i've never specified the phrase when starting
> an ssh session with putty.
>
> I retried creating keys on e-smith in the paths you
> specified. Then after copying the private key to windows,
> putty asks the phrase. I've become quite an expert in this
> but alas does not bring me any further. I think a i'll
> reinstall the server
>
> Sigh... Isaac

[robert]

Sorry, hit "post" by accident.

Isaac wrote:
>
> robert wrote:
> > Maybe you need to clean out your authorized_keys file. So
> > instead of appending the putty key to authorized_keys, try
> > overwriting it:
>
> > ssh-keygen -i -f home/pubkey > .ssh/authorized_keys
> > where home/pubkey is the path to the public key that putty
> i did not have the entire directory since ssh_keygen used
> another default path
> i.e ~/.ssh (instead of ~/home/.ssh)
>

I never said you should put authorized_keys in ~/home/.ssh
Indeed ssh will not find it if you put it there. You should put it in ~/.ssh/

 
> > Also, are you sure you're using the correct passphrase?
> key gen does not ask the frase, i thought it's only used in
> the private key?
>
> further:
> I never come to using the phrase since the key is refused
> before this, so i've never specified the phrase when starting
> an ssh session with putty.
>
> I retried creating keys on e-smith in the paths you
> specified.

Again, this is not what I said. Create the keys on windows, then copy the public key from the windows machine to the sme server.

> Then after copying the private key to windows,
> putty asks the phrase. I've become quite an expert in this
> but alas does not bring me any further. I think a i'll
> reinstall the server
>
> Sigh... Isaac

No need to reinstall the server. The procedure I described should work. I know it works for me with PuTTY, SSH-Winclient, and MacSSH and e-smith 4 and SME 5 (all versions).

[robert]

P.S. Don't get me wrong. I'm sure what you've been trying to do can be accomplished as well (i.e. generating the keys on the SME server and then distributing it to the PuTTY client), but I have no experience with that method and that's why I proposed a different method. If you insist on doing it your way, please make sure the type of key you generate with ssh-keygen corresponds to the type of ssh-connection (protocol 1 or 2) you're trying to initiate with PuTTY.

[Isaac]

robert wrote:
> P.S. Don't get me wrong.

Robert i'm very gratefull with your input, and really tried to do everything you suggested (especially since i'm not familiar with ssh and linux at that). I'm getting the idea however that i'm running in circles since i'm doing the same thing over and over again....

Isaac

[Isaac]

robert wrote:
> I never said you should put authorized_keys in ~/home/.ssh
> Indeed ssh will not find it if you put it there. You should
> put it in ~/.ssh/
correct

> No need to reinstall the server. The procedure I described
> should work. I know it works for me with PuTTY,
> SSH-Winclient, and MacSSH and e-smith 4 and SME 5 (all
> versions).

Did it anyway since I was desparate. But that did not help either, although the only "error" i since got was "key refused".

But i've got it working, more or less.
I chmod 700 .SSH directory and chmod 600 all files in it (root)
I made new keys with putty, and pasted the pub key string in authorized_keys (had to do some manual adaptation though). Then saved the private key in putty as SSH1 putty key!
Next i logged in as root. This works.

So it appears there is no SSH2 support in e-smith??

Isaac

It ap