Page 1 of 2

ssh public key authentication

Posted: 24 Dec 2010, 17:57
by Pressurized
I'm trying to set up bubba2 so that I can log on to it from selected computer accounts without a password using public key authentication. I've created a key pair on the remote computer:

Code: Select all

ssh-keygen -t rsa -b 1024
and sent it to bubba2:

Code: Select all

ssh press@bubba2 "cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub
After typing bubba2's password, the remote computer's public key is added to 'authorized_keys' on bubba2 but I still have to type bubba2's password when I ssh to it. This method works as it's supposed to on various Linux boxes including my bubba1! I've looked carefully at /etc/sshd_config and /etc/ssh_config on both bubbas and there don't seem to be any relevant differences.

I've also made sure that the path to authorized_keys on bubba2 is not group accessible - no difference.

If this helps, here's 'ssh -v bubba2' from an 'authorised' remote computer:

Code: Select all

OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to bubba2 [192.168.0.2] port 22.
debug1: Connection established.
debug1: identity file /home/press/.ssh/identity type -1
debug1: identity file /home/press/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/press/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9etch3ex1
debug1: match: OpenSSH_4.3p2 Debian-9etch3ex1 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bubba2' is known and matches the RSA host key.
debug1: Found key in /home/press/.ssh/known_hosts:5
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/press/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/press/.ssh/identity
debug1: Trying private key: /home/press/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Any help much appreciated!

Re: ssh public key authentication

Posted: 25 Dec 2010, 01:34
by Cheeseboy
Morning!

Do you get anything in /var/log/auth.log on the bubba2?

Re: ssh public key authentication

Posted: 25 Dec 2010, 03:08
by Pressurized
Morning and thanks for so quick a reply, especially today!

Yes, relevant lines from auth.log:

Code: Select all

Dec 25 07:56:47 bubba2 sshd[4831]: Authentication refused: bad ownership or modes for directory /home/press
Dec 25 07:56:49 bubba2 sshd[4831]: Accepted keyboard-interactive/pam for press from 192.168.0.6 port 33412 ssh2
Dec 25 07:56:49 bubba2 sshd[4834]: (pam_unix) session opened for user press by (uid=0)
Dec 25 07:57:45 bubba2 sudo:   press : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/cat auth.log
Which says there's still something wrong with my ownership and permissions - I'll look into it but see below if you can offer a further insight. Thanks also for telling me about auth.log!

Code: Select all

/home
drwxrwx---  6 press press  4096 2010-12-23 00:10 press
/home/press
drwx------ 2 press press     4096 2010-12-24 22:51 .ssh
/home/press/.ssh
-rw------- 1 press press  223 2010-12-24 22:51 authorized_keys
-rw------- 1 press press  887 2010-12-12 22:47 id_rsa
-rw-r--r-- 1 press press  223 2010-12-12 22:47 id_rsa.pub
-rwxrwx--- 1 press press 1866 2010-12-12 22:45 known_hosts

Re: ssh public key authentication

Posted: 25 Dec 2010, 03:17
by Cheeseboy
Your home directory permissions do look different from mine, and so does known_hosts...
Perhaps the ssh daemon is unable to enter your home directory?

Code: Select all

niklas@bubba2:~$ ls -ld /home/niklas
drwxr-xr-x 16 niklas users 4096 2010-12-03 21:33 /home/niklas
niklas@bubba2:~$ ls -ld /home/niklas/.ssh
drwx------ 2 niklas users 4096 2010-10-20 14:34 /home/niklas/.ssh
niklas@bubba2:~$ ls -l /home/niklas/.ssh
total 28
-rw-r--r-- 1 niklas users 1790 2010-10-20 14:34 authorized_keys
-rw-r--r-- 1 niklas users  224 2009-11-21 14:22 authorized_keys_bak
-rw-r--r-- 1 niklas users   16 2010-10-10 11:56 config
-rw------- 1 niklas users  887 2009-11-21 15:49 id_rsa
-rw-r--r-- 1 niklas users  222 2009-11-21 15:49 id_rsa.pub
-rw-r--r-- 1 niklas users 3810 2010-10-23 14:37 known_hosts
-rw-r--r-- 1 niklas users 1031 2009-08-27 10:00 known_hosts_bak
Edit:
/home is different too:

Code: Select all

niklas@bubba2:~$ ls -ld /home
drwxr-xr-x 14 root root 4096 2010-11-05 20:27 /home

Re: ssh public key authentication

Posted: 25 Dec 2010, 03:43
by Ubi
try

Code: Select all

chmod 750 /home/press
your homedir should not be group-writeable. I know you may disagree with this, but that's the security model that this version of linux is built upon. If you want to share data with others, make a separate folder and maybe some symlinks.

The SSH daemon runs at either root or user privs so it can always get into your homedir

let us know if this works

Re: ssh public key authentication

Posted: 25 Dec 2010, 03:46
by Cheeseboy
And I notice the ownership is a bit weird too...

Re: ssh public key authentication

Posted: 25 Dec 2010, 03:47
by Ubi
you mean ownership of home/press?
why? Most linux distros give users their own group. It shouldn't have any impact on sshd behaviour

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:08
by Cheeseboy
I mean ownership of /home

You might be right, I only have experience with the bubba releases and ubuntu, but it looks to me as if root has no access to /home

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:35
by Cheeseboy
Well, I'm stumped...
I tried recreating all the permissions, created a new group, changed ownership, but I can't get it to fail as described.

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:41
by Ubi
root has access to anything and everything, for he is root

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:44
by Cheeseboy
Of course! Sorry.
I think I found it:

Code: Select all

niklas@desktop:~$ ssh bubba2
Linux bubba2 2.6.32.13 #1 Tue May 25 12:01:56 CEST 2010 ppc

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Dec 25 10:41:22 2010 from desktop.localdomain
niklas@bubba2:~$ chmod 770 .
niklas@bubba2:~$ exit
logout
Connection to bubba2 closed.
niklas@desktop:~$ ssh bubba2
Password: 
EDIT:
Sorry, should have mentioned that the solution then is:
chmod 755 /home/press

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:52
by Ubi
why on earth give read access to the whole world and every process on your system to your private folder?!! Sound like a really bad idea. Whats wrong with my proposed 750? At least make it 751 if you need to share subfolders (which again is a bad idea).

Re: ssh public key authentication

Posted: 25 Dec 2010, 04:59
by Cheeseboy
Hey, relax. I only restored it to the default...

EDIT:
And to be honest, I didn't see your post, I was too busy with my own attempts.
EDIT2:
I saw it, but what you wrote didn't register..

Re: ssh public key authentication

Posted: 25 Dec 2010, 05:35
by Pressurized
Thanks for all the replies so far. I'm confident that they'll help me get the problem sorted. When I get the chance to try them out (I'm a bit tied up with the five and one-year olds this morning, naturally), I'll report back.

Re: ssh public key authentication

Posted: 25 Dec 2010, 19:12
by Pressurized
The answer, as suggested by ubi, was to change the group mode of my home directory to not-writeable. Even though the group had me as its only member, this was unacceptable.

This is a change I made to bubba2's set-up that wasn't wise and I'll be changing it back.

Thanks to both of you for pointing me in the right direction (and I now see that my original statement that the path was not group 'accessible' was wrong).