forum.excito.org

How To Fix “Server Refused Our Key” Error That Caused By Putty Generated RSA Public Key?
Copyright © Walker 22 Mar 2009 16:16
The SSH-2 protocol supports few user authentication types, one of which is public-key cryptography.

Other than security benefit, using public-key cryptography in SSH protocol is relatively easier to implement password-less or non-interactive authentication.

For example, a scheduled shell script can use scp (secure copy) to automate file-transfer between hosts seamlessly in background, without user interaction during authentication stage.

With OpenSSH, default SSH client/server software bundled with most Linux distributions, the ssh-keygen program is used to generate a pair of such cryptographic keys.

As for Putty, popular SSH client suite for Windows, there is this Puttygen program to provide similar functions of ssh-keygen.

However, there is incompatibility issue between RSA type of public key generated by ssh-keygen and Puttygen.

Having said that, you can’t install OpenSSH-generated private key in Putty program. Otherwise, the public-key authentication failed with message that says “Unable to use key file “E:\id_rsa” (OpenSSH SSH-2 private key)”.

Similarly, it’s not possible to install a Puttygen-generated public-key directly into OpenSSH authorized_keys file. If you do so, Putty fails with “Server refused our key” error message during authentication.

So, how to install a Putty-generated RSA type of Public-key in OpenSSH authorized_keys file?


As you’ve seen, the trick is to modified a Puttygen-generated public-key to the format of OpenSSH-generated public-key:

1) Edit Putty-generated public-key file with Vi editor,

2) Delete the first two and the last line,

3) Join the remaining lines into one single line, by using the Shift+J command shortcut. Remember to trim space between two line joined by CTRL+J command.

4) Insert ssh-rsa keyword (with one trailing space) in front of the single line.

5) [ OPTIONAL ] Append Login_ID@Host_name keyword (with a initial space) at the end of the single line (replace Login_ID and Host_name with your SSH login ID and host name accordingly).

6) Append the modified, tweaked Putty-generated public-key (RSA type) to OpenSSH authorized_keys file.

Now, Putty is able to login OpenSSH server with its own set of public-key and private-key pair:

nano
#right click from your mouse to paste content of clipboard 
#save with ^O file name to write id_rsa.pub
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cat id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm id_rsa.pub
ls -la

chmod 600 ~/.ssh/authorized_keys

chmod 644 ~/.ssh/authorized_keys

chmod 640 ~/.ssh/authorized_keys

An X.509 certificate contains a private and a public key. As such it is suitable for password-less login via SSH. However, as always with certificates and keys and all that powerful stuff the handling of it all is very clumsy. Kingsley just explained how to setup SSH with X.509 certificates. I will try to add the missing pieces here.

If you do not have a X.509 certificate yet create one with an embedded WebID via the OpenLink YouID service. Make sure the details actually get saved in the last step, for example by posting an identity claim to your Twitter or LinkedIn accounts. This will make the YouID service persist your profile which in turn will result in your new WebID being dereferencable. Kingsley has some nice Linked data details on that in his post.
Export the new certificate which should now be installed in your browser’s key store, into a P12 file. This can be done via the certificate viewer in the browser preferences.
Convert the P12 into PEM format:

# openssl pkcs12 -in MyCert.p12 -out MyCert.pem -nodes

Extract the private key from the P12:

# openssl pkcs12 -in MyCert.p12 -out MySSHKeys.pem -nodes -nocerts

Finally extract the public key from the certificate PEM file and append it to the private key:

# openssl x509 -in MyCert.pem -pubkey -noout >> MySSHKeys.pem

MyCert.pem can now be removed. It is not required anymore.
You can use ssh-keygen to create the line to put into your remote ~/.ssh/authorized_keysfile:

# ssh-keygen -i -m PKCS8 -f MySSHKeys.pem