29 Apr
2006
29 Apr
'06
8:26 a.m.
Hi,
I'm trying to ssh passwordless from a local to a remote machine (both
debian).
On the local machine I've generated a key and copied it to the remote
machine:
local#ssh-keygen -t rsa -b 2048
local#scp id_rsa.pub remote.machine:/blabla
On the remote machine I have added the key to .ssh/authorized_keys:
remote#cat id_rsa.pub >> .ssh/authorized_keys
Now if I try to ssh the remote machine I'm still asked to enter the
passphrase ...
local# ssh remote.machine
Enter passphrase for key '/root/.ssh/id_rsa':
Have I missed something ?
Thanks in advance,
yours,
kochi
29 Apr
29 Apr
10:10 a.m.
kochi wrote:
Hi,
I'm trying to ssh passwordless from a local to a remote machine (both
debian).
On the local machine I've generated a key and copied it to the remote
machine:
local#ssh-keygen -t rsa -b 2048
local#scp id_rsa.pub remote.machine:/blabla
On the remote machine I have added the key to .ssh/authorized_keys:
remote#cat id_rsa.pub >> .ssh/authorized_keys
Now if I try to ssh the remote machine I'm still asked to enter the
passphrase ...
local# ssh remote.machine
Enter passphrase for key '/root/.ssh/id_rsa':
Have I missed something ?
Maybe the permissions. On some distributions (Fedora, don't know about
Debian), the umask is set such that by default any files created are
group writable. However, if the authorized keys file is group writable,
sshd disregards it for security reasons.
To fix this, chmod 600 .ssh/authorized_keys
Moreover, it is advisable to use DSA instead of RSA (DSA is a more
secure cipher than RSA, and some versions of sshd might actually
disallow RSA for that reason...)
ssh-keygen -t dsa
...
cat id_dsa.pub >>.ssh/authorized_keys2
chmod 600 .ssh/authorized_keys2
Thanks in advance,
yours,
kochi
Regards,
Alain
11:55 a.m.
Alain Knaff wrote:
Maybe the permissions. On some distributions (Fedora,
don't know about
Debian), the umask is set such that by default any files created are
group writable. However, if the authorized keys file is group writable,
sshd disregards it for security reasons.
To fix this, chmod 600 .ssh/authorized_keys
The permissions of the users's home directory on the destination machine
is also important. If I remember correctly if you set "chmod 700 $HOME",
it does not work anymore.
Greetings, Patrick
30 Apr
30 Apr
3:01 p.m.
Hi,
I finnaly found out what was worng ...
In fact I just had to add the identities with ssh-add ... ;)
I've also switched to DSA, ... thanks for the hint !
cu,
kochi
On 4/29/06, Alain Knaff <alain(a)knaff.lu> wrote:
kochi wrote:
Hi,
I'm trying to ssh passwordless from a local to a remote machine (both
debian).
On the local machine I've generated a key and copied it to the remote
machine:
local#ssh-keygen -t rsa -b 2048
local#scp id_rsa.pub remote.machine:/blabla
On the remote machine I have added the key to .ssh/authorized_keys:
remote#cat id_rsa.pub >> .ssh/authorized_keys
Now if I try to ssh the remote machine I'm still asked to enter the
passphrase ...
local# ssh remote.machine
Enter passphrase for key '/root/.ssh/id_rsa':
Have I missed something ?
Maybe the permissions. On some distributions (Fedora, don't know about
Debian), the umask is set such that by default any files created are
group writable. However, if the authorized keys file is group writable,
sshd disregards it for security reasons.
To fix this, chmod 600 .ssh/authorized_keys
Moreover, it is advisable to use DSA instead of RSA (DSA is a more
secure cipher than RSA, and some versions of sshd might actually
disallow RSA for that reason...)
ssh-keygen -t dsa
...
cat id_dsa.pub >>.ssh/authorized_keys2
chmod 600 .ssh/authorized_keys2
Thanks in advance,
yours,
kochi
Regards,
Alain
5 May
5 May
2:15 p.m.
When you generated the key (id_rsa), you've been prompted for a
passphrase, in order to avoid anybody discovering the file to gain
access as you would.
Now, you need to type in the passphrase to 'unlock' the key each time
you wish to use it. But you don't need anymore to enter a password to
gain access to the remote host.
If you don't want to have to enter such a passphrase, just avoid
entering any passphrase when generating the key.
kochi wrote:
Hi,
I'm trying to ssh passwordless from a local to a remote machine (both
debian).
On the local machine I've generated a key and copied it to the remote
machine:
local#ssh-keygen -t rsa -b 2048
local#scp id_rsa.pub remote.machine:/blabla
On the remote machine I have added the key to .ssh/authorized_keys:
remote#cat id_rsa.pub >> .ssh/authorized_keys
Now if I try to ssh the remote machine I'm still asked to enter the
passphrase ...
local# ssh remote.machine
Enter passphrase for key '/root/.ssh/id_rsa':
Have I missed something ?
Thanks in advance,
yours,
kochi
------------------------------------------------------------------------
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 58, rue d'Esch
L-3720 Rumelange
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
This e-mail signature can be checked if you have the CaCERT certificate installed.
Check http://www.CaCERT.org for details.
3:13 p.m.
Hi,
On Fri, May 05, 2006 at 04:15:44PM +0200, Brent Frere wrote:
When you generated the key (id_rsa), you've been
prompted for a
passphrase, in order to avoid anybody discovering the file to gain
access as you would.
Now, you need to type in the passphrase to 'unlock' the key each time
you wish to use it. But you don't need anymore to enter a password to
gain access to the remote host.
If you don't want to have to enter such a passphrase, just avoid
entering any passphrase when generating the key.
... which of course is less than optimal from a security point
of view. If you managed a number of servers this way, it would
be sufficient for a cracker to get access to your single machine,
and he could play with all those servers.
Thus, depending on your needs, have a look at ssh-agent.
Greetings, Eric
6 May
6 May
12:27 p.m.
Eric Dondelinger a écrit :
Hi,
On Fri, May 05, 2006 at 04:15:44PM +0200, Brent Frere wrote:
I won't be more explicit on the way I use this feature, as I don't want
to disclose my employer security habits, but could you be more explicit
about your idea implying ssh-agent ?
Thank you.
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 58, rue d'Esch
L-3720 Rumelange
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
If you have problem with my digital signature, please install the appropriate authority
certificate by browsing https://www.cacert.org/certs/root.crt.
When you generated the key (id_rsa), you've
been prompted for a
passphrase, in order to avoid anybody discovering the file to gain
access as you would.
Now, you need to type in the passphrase to 'unlock' the key each time
you wish to use it. But you don't need anymore to enter a password to
gain access to the remote host.
If you don't want to have to enter such a passphrase, just avoid
entering any passphrase when generating the key.
... which of course is less than optimal from a security point
of view. If you managed a number of servers this way, it would
be sufficient for a cracker to get access to your single machine,
and he could play with all those servers.
Thus, depending on your needs, have a look at ssh-agent.
6:43 p.m.
On Sat, May 06, 2006 at 02:27:30PM +0200, Brent Frère wrote:
[passwordless ssh]
ssh-agent essentially keeps your key passwords for you, you activate
it when starting your session and type the password once, ssh-agent
will then manage things for you from then on, so you won't have to
type the password again.
This way, even if your machine is compromised, a cracker still needs
a password to gain access to other stuff.
I'm not using ssh-agent myself, but I have played a bit with it a
while back, can't really remember the details.
Greetings, Eric
... which of
course is less than optimal from a security point
of view. If you managed a number of servers this way, it would
be sufficient for a cracker to get access to your single machine,
and he could play with all those servers.
Thus, depending on your needs, have a look at ssh-agent.
I won't be more explicit on the way I use this feature, as I don't want
to disclose my employer security habits, but could you be more explicit
about your idea implying ssh-agent ?
Thank you.
6767
days inactive
6774
days old
7 comments
5 participants
participants (5)
-
Alain Knaff -
Brent Frere -
Eric Dondelinger -
kochi -
Patrick Kaell