[Techtalk] SSH key authentication

Raven, corporate courtesan raven at oneeyedcrow.net
Mon Apr 8 16:45:25 EST 2002 

Heya --

Quoth Caitlyn Martin (Sat, Apr 06, 2002 at 02:15:22PM -0500):
> Your logs also seem to indicate that SSH keys are set up, and that there
> may be some sort of authentication failure.  

	This is actually pretty normal.  Many versions of ssh ship with
support for public-key authentication built in.  If you look at
/etc/sshd_config, you should see things like 

RSAAuthentication yes
DSAAuthentication yes

in there.  If you don't want your ssh to support public-key auth turn
those off by changing them to

RSAAuthentication no
DSAAuthentication no

But they're not doing any harm.  If the public-key auth fails (as it
will when there aren't any keys installed in the appropriate files) it
will fall back to password authentication, and that seems to be
happening correctly.

	If you feel like making the move to public key auth, it's really
easy.  ssh-keygen (assuming OpenSSH) will make you a set of keys.
ssh-keygen -t rsa or ssh-keygen -t dsa will make ssh2 keys for the
specified algorithm.  Just put the identity.pub (for an ssh1 key),
id_dsa.pub (for an ssh2 dsa key), or id_rsa.pub (for an ssh2 rsa key)
key into the .ssh/authorized_keys file on the remote machine.  Make sure
there are no line breaks within the line containing your key --
otherwise it won't work.  Keep your existing connection, and use a
different window to try to connect to your server.  You should be
prompted for the passphrase for your key, rather than the password for
your remote account.  And then you're logged in.  (It's good to keep one
window open just in case something is wrong, so you're not locked out of
the remote account.)

	If you do decide to use key authentication, make sure that the
files .ssh/id_dsa, .ssh/id_rsa, and/or .ssh/identity are protected on
your local server.  These are your private keys, and you don't want to
give them out or let anyone other than your user have read permission.
600 is a good permission setting for them.  The matching files with .pub
appended are the corresponding public keys, and these can be sent to the
remote machines.

Cheers,
Raven

Ben says "WAR IS PEACE FREEDOM IS SLAVERY BACKSPACE IS DELETE"

More information about the Techtalk mailing list