[PLUG] Re-doing ssh key phrase and key type

Smith, Cathy Cathy.Smith at pnnl.gov
Wed Nov 2 16:05:17 UTC 2016 

Also the permissions on the .ssh directory must be 700.

I apologize if this has already been mentioned, but have you tried to telnet to port 22 on the target box?  That would answer any questions about connectivity.


Cathy
-- 
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the 
U.S. Department of Energy

Phone: 509.375.2687
Fax:       509.375.4399
Email: cathy.smith at pnnl.gov


-----Original Message-----
From: plug-bounces at lists.pdxlinux.org [mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of Damon Bull
Sent: Wednesday, November 02, 2016 9:00 AM
To: Portland Linux/Unix Group <plug at lists.pdxlinux.org>
Subject: Re: [PLUG] Re-doing ssh key phrase and key type

Rich,
Maybe check your target users home directory permissions.  It's a poorly documented that in addition to the restrictive permission on the ~/.ssh directory and the authorized_keys file, your home directory on the target system must also be restricted.  It must not have more than read and execute permissions for group and everyone for ssh to work without password prompt.  In other words, your target user home directory permissions must be no more permissive than rwxr-xr-x.
Hope this helps.
db.


    On Wednesday, November 2, 2016 8:35 AM, Louis Kowolowski <louisk at cryptomonkeys.org> wrote:
 

 
> On Oct 26, 2016, at 5:51 PM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> 
>> On Tue, 25 Oct 2016, Rich Shepard wrote:
>> 
>> Having new installations of Slackware-14.2 on three hosts now (two 
>> more to go after I get these three fully functional), I want to 
>> change my ssh private and public keys using a new passphrase and type.
> 
>  Keeping the same thread going, I've read the ssh, sshd, ssh_config,  
>sshd_config, ssh-keygen, and ssh-agen man pages and searched the web 
>for  usage examples and still have a few unanswered questions.
> 
>  On the desktop I generated a new ed25519 key pair. Wanting to set up  
>communications between this host and the ThinkPad I tried
> 
>    scp ~/.ssh/id_ed25519.pub typha:.ssh
> 
> (and a couple of different references to the remote host) but the 
> connection was refused.
> 
>  I copied the public key to a USB thumb drive and manually installed 
>it in
> typha: ~/.ssh.
> 
>  Then, logged into typha, I tried to scp ~/ from the desktop. Openssh 
>told  me it didn't recognize the remote machine and asked it I wanted to continue.
> I responded, "yes," and the public key was added to the ThinkPad's  
>authorized_hosts file, but the connection was refused. Is the next step 
>to  specify verbotisty levels, e.g., 'ssh -vv <remote_host>'?
> 
Yes. If this doesn't show you the problem, you may have to start sshd with debugging. Of note, when you do this, sshd will terminate after the first connection. Be careful.


>  On a related issue, as authorized_hosts holds public keys from remote  
>hosts, and I'm essentially starting from a clean slate with the 
>portables  and the desktop, can I remove that old file from the 
>desktop's ~/.ssh/ and  start over again when I use ssh/scp from a portable to the desktop?
> 
Are you mixing up authorized_keys and known_hosts?

Authorized_keys contains your ssh pub keys Known_hosts is a list of previously connected-to hosts and their fingerprints 

The latter is only meaningful in the sense that you don't get prompted if you save the information into known hosts.


>  On another related OpenSSH issue: ssh-agent. I've not before used it 
>but  it looks useful. If I understand the man page, I run it on hosts 
>that will  remotely connect to the desktop (the portables) so when they 
>boot they'll  have the public key available to all shells and I'll not 
>need to enter my  pass phrase each time I want to establish a secure 
>connection. Is this  correct? Should I also run it on the desktop?
> 
Not exactly. Typically, when you login, you run ssh-add <key> (either manually or automagically) and it will prompt for passphrase of key and add it to your ssh agent. If you use the ssh agent, when you connect to a host via ssh (assuming you aren't passing options to disable the agent) it will look for keys in the agent and auth with them. You don't need to provide a password in this case because you've already done so when you added the key to the agent. You can forward the agent information to the remote host and continue this daisy-chain process. This will work for any keys in the agent. This allows you to use ssh keys but not copy the private key to a remote system.

I run it on my desktop and laptop, because I use both to connect to remote hosts. I don't run it on remote hosts that I don't physically login to. I also don't copy the ssh private key to any host I don't trust.

Sent from my iPhone


_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug


   
_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list