Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
I created my SSH keys and copied the public part to the server and renamed it authorized_keys.
My command line is: ssh root@xxxxxx.com -p 1234
The output shows the logging-on routine wants 3 types of authentication. Surely one successful authentication is sufficient ?
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to xxxxxx [123.123.123.123] port 1234. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'xxxxxx' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:4 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195
debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Offering public key: /root/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: password
-------------------
files in client /root/.ssh are:-
-rw------- 1 root root 1675 Jan 27 03:11 id_rsa -rw-r--r-- 1 root root 403 Jan 27 03:11 id_rsa.pub -rw-r--r-- 1 root root 2022 Jan 27 03:07 known_hosts
---------------------------------------------
server /root/.ssh
id_rsa.authorized_keys -rw--------
--------------------------------------------
The only active lines in /etc/ssh/ssh_config are
Host * GSSAPIAuthentication yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL
--------------------------------------------
After commenting-out
GSSAPIAuthentication yes
in /etc/ssh/ssh_config
the remainder of a new debug report is:-
... debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Offering public key: /root/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: password
All advice most gratefully received.
On Thu, Jan 27, 2011 at 12:15 PM, Always Learning centos@g7.u22.net wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
you expect Passwordless SSH. If so,
On your PC
# ssh-keygen -t rsa ( passphrase should be empty )
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
then,
# cd /root/.ssh/
Pls scp id_rsa.pub to the Server
# scp id_rsa.pub root@server:/root/.ssh/authorized_keys root@192.1.54.63
then, finally ssh to the server from your PC. it would be passwordless. pls see below
# ssh server
Pls try
On Thu, Jan 27, 2011 at 2:03 AM, Indunil Jayasooriya indunil75@gmail.com wrote:
On Thu, Jan 27, 2011 at 12:15 PM, Always Learning centos@g7.u22.net wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
you expect Passwordless SSH. If so,
On your PC
# ssh-keygen -t rsa ( passphrase should be empty )
NO!!! NO!!! NO!!! NO!!!
I'm sorry, but this is a far too comon and very, very bad practice. You may as well tape a Post-It note with your password on it under your keyboard, because anyone who can get this un-passphrase protected key will be able to automatically log in as you. The normal approach is to investigate how to use ssh-agent to store your unlocked key in an active session, not use a passphrase-less key. The "keychain" utiliti is very handy for just this purpose, and it's available in the RPMforge repositories for RHEL 5 and CentOS 5.
Far too many people say "but you have to trust your own machine!!!" and leave these passphrase-less keys lying around, and they're a popular vulnerability for crackers to steal if they can gain *any* access to your systems. It's particularly bad in environments that use NFS and allow local hosts to be run by local users: any such local admin can then "su" to become other users and access their private keys.
Also, there's a stack of reasons that DSA is preferred to RSA for SSH keys these days. When you generate your private keys, use "ssh-keygen -t dsa", not rsa.
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
then,
# cd /root/.ssh/
Pls scp id_rsa.pub to the Server
# scp id_rsa.pub root@server:/root/.ssh/authorized_keys
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be used, reasonably, for account access on other hosts, but should be avoided for root access. If you *HAVE* to use an SSH key for root, for example for "rsync" based backup operations, use rssh to restrict its operations or designate a permitted command associated with that key in the target's authorized_keys.
then, finally ssh to the server from your PC. it would be passwordless. pls see below
Sadly, this will *work*, but so does tying your car keys to your car door so you don't lose them. It's a security issue.
Please, read the manual pages on "ssh-agent" which was designed and built into SSH deployments for just such use.
On Thu, 27 Jan 2011, Nico Kadel-Garcia wrote:
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be used, reasonably, for account access on other hosts, but should be avoided for root access. If you *HAVE* to use an SSH key for root, for example for "rsync" based backup operations, use rssh to restrict its operations or designate a permitted command associated with that key in the target's authorized_keys.
Is this actually current doctrine for typical machines? I thought plenty of people advocated restricting ssh to AllowRoot without-password. What exactly is your security concern with having password protected key access to a machine's root account?
I'll agree Using command= for things like rsync backups is definitely a good idea, as it means you can put ssh keys on machines that only grant them single command access.
jh
On Thu, Jan 27, 2011 at 07:59:30AM +0000, John Hodrien wrote:
On Thu, 27 Jan 2011, Nico Kadel-Garcia wrote:
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be
Is this actually current doctrine for typical machines? I thought plenty of people advocated restricting ssh to AllowRoot without-password. What exactly
Correct. PermitRootLogin without-password is the recommended approach if you must allow remote root login via ssh
It's even better to deny remote root at all (login as normal user then sudo/su as necessary), but practicallity says it's needed, so "without-password" will stop you from being able to use the password and force you to use public keys or other non-password authentication.
On Thu, Jan 27, 2011 at 02:39:29AM -0500, Nico Kadel-Garcia wrote:
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be
That is 100% backwards. *NEVER* use password authentication for root (passwords are easier to brute force 'cos people choose bad passwords). Use ssh public key access for root, with appropriate restrictions (eg "from=").
On Thu, 2011-01-27 at 06:40 -0500, Stephen Harris wrote:
*NEVER* use password authentication for root (passwords are easier to brute force 'cos people choose bad passwords). Use ssh public key access for root, with appropriate restrictions (eg "from=").
You haven't seen my long and difficult (for others) password (uppercase, lowercase, and digits). It is unlikely ever to succumb to brute force. :-)
Always Learning wrote:
On Thu, 2011-01-27 at 06:40 -0500, Stephen Harris wrote:
*NEVER* use password authentication for root (passwords are easier to brute force 'cos people choose bad passwords). Use ssh public key access for root, with appropriate restrictions (eg "from=").
You haven't seen my long and difficult (for others) password (uppercase, lowercase, and digits). It is unlikely ever to succumb to brute force. :-)
Ah, no. Where can you log in as root from? If it's anywhere outside the intranet, bad, bad, bad. Thre's been reports that the serious encryption keys can be cracked in a very short time, thanks to an account on Amazon's cloud. Here at work, you can only log in as root *from* *the* *console*; anything else, it's either via ssh keys, or as yourself, then sudo (or sudo -s).
When I have more than one machine at home, I *only* allow ssh from the internal net, and *never* from outside.
mark
On Thu, 2011-01-27 at 10:01 -0500, m.roth@5-cent.us wrote:
Always Learning wrote:
You haven't seen my long and difficult (for others) password (uppercase, lowercase, and digits). It is unlikely ever to succumb to brute force. :-)
Ah, no. Where can you log in as root from? If it's anywhere outside the intranet, bad, bad, bad.
Blush, blush .... access is on a non-standard port and then restricted to a few IP addresses. I don't want my servers taken over by others.
As a basic policy everything that can be changed from a default port is. That means I have open 25 and 80. Everything else has a none-standard port number of 4 or 5 digits. Definitely no 443. Every secure web application has https and a different port and IP restrictions (in the .htaccess).
I'm planning to experiment with mod_auth_mysql.
Always Learning wrote:
On Thu, 2011-01-27 at 10:01 -0500, m.roth@5-cent.us wrote:
Always Learning wrote:
You haven't seen my long and difficult (for others) password
(uppercase, lowercase, and digits). It is unlikely ever to succumb to
brute
force. :-)
Ah, no. Where can you log in as root from? If it's anywhere outside the intranet, bad, bad, bad.
Blush, blush .... access is on a non-standard port and then restricted to a few IP addresses. I don't want my servers taken over by others.
Security through obscurity doesn't work. Are you familiar with nmap? Restricted to a few IP addresses is good; the fewer the better. <snip> mark
On Thu, 2011-01-27 at 10:27 -0500, m.roth@5-cent.us wrote:
Security through obscurity doesn't work.
It certainly helps defeat most potential intruders but not the most determined. IPtables does help too.
Are you familiar with nmap?
Yes. I used to read the bloke's circulars when I was on Windoze. Have it installed. Knowing I use Centos is not necessary going to assist anyone breaking-in if I have everything screwed firmly down.
Restricted to a few IP addresses is good; the fewer the better.
Currently 3 static IPs.
Always Learning wrote:
On Thu, 2011-01-27 at 10:27 -0500, m.roth@5-cent.us wrote:
Security through obscurity doesn't work.
It certainly helps defeat most potential intruders but not the most determined. IPtables does help too.
We also run fail2ban at work. Very nice, installs (along with shorewall), and creates a temporary blacklist, blocking an IP that's tried five, I think, times to break in. All configurable, btw. <snip>
Restricted to a few IP addresses is good; the fewer the better.
Currently 3 static IPs.
<G>
mark
Security through obscurity doesn't work.
It certainly helps defeat most potential intruders but not the most determined. IPtables does help too.
We also run fail2ban at work. Very nice, installs (along with shorewall), and creates a temporary blacklist, blocking an IP that's tried five, I think, times to break in. All configurable, btw.
Here too and from my own systems those 'scriptkiddies' are exposed to the world using http://twitter.com/fail2ban :)
Regards,
Michel
Michel van Deventer wrote:
Security through obscurity doesn't work.
It certainly helps defeat most potential intruders but not the most determined. IPtables does help too.
We also run fail2ban at work. Very nice, installs (along with shorewall), and creates a temporary blacklist, blocking an IP that's
tried five, I
think, times to break in. All configurable, btw.
Here too and from my own systems those 'scriptkiddies' are exposed to the world using http://twitter.com/fail2ban :)
So, where's most of your hits from? The most I see is China, followed by Brazil, then Korea (not sure which), then, a lot lower, Russia, Italy, and various others.
mark
On 01/27/2011 04:57 PM, m.roth@5-cent.us wrote: [snip]
Here too and from my own systems those 'scriptkiddies' are exposed to the world using http://twitter.com/fail2ban :)
So, where's most of your hits from? The most I see is China, followed by Brazil, then Korea (not sure which), then, a lot lower, Russia, Italy, and various others.
I see most hits come from India and China (218.0.0.0/16 - 223.0.0.0/16 seems rather popular) followed at quite a distance by the likes of Brazil, South Korea, Russia, Romania and Bulgaria.
Regards, Patrick
Hi,
On Thu, 2011-01-27 at 10:57 -0500, m.roth@5-cent.us wrote:
Here too and from my own systems those 'scriptkiddies' are exposed to the world using http://twitter.com/fail2ban :)
So, where's most of your hits from? The most I see is China, followed by Brazil, then Korea (not sure which), then, a lot lower, Russia, Italy, and various others.
Lots from China, Russia and some South American countries. Sometimes even from my own country ! (Netherlands).
Regards,
Michel
On Thu, 2011-01-27 at 20:30 +0100, Michel van Deventer wrote:
Lots from China, Russia and some South American countries. Sometimes even from my own country ! (Netherlands).
Attempts from Holland always, in my experience, come from Leaseweb IPs but complaining to them produces no results.
Mvg,
Paul.
P.S. 'Een brug te ver' I saw in Deventer when it was first released. Een mooi stad met een leuke binnenstad. I hope it is still the same.
On Thu, 27 Jan 2011 21:23:51 +0000 Always Learning wrote:
Attempts from Holland always, in my experience, come from Leaseweb IPs but complaining to them produces no results.
The appropriate entries in /etc/hosts.deny does produce results....
Hi,
On Thu, 2011-01-27 at 20:30 +0100, Michel van Deventer wrote:
Lots from China, Russia and some South American countries. Sometimes even from my own country ! (Netherlands).
Attempts from Holland always, in my experience, come from Leaseweb IPs but complaining to them produces no results.
The most recent one came from a company in Amsterdam which stopped 5 minutes after I mailed the abuse address :)
P.S. 'Een brug te ver' I saw in Deventer when it was first released. Een mooi stad met een leuke binnenstad. I hope it is still the same.
I wouldn't know, my last name is 'van Deventer' but I have been only twice to Deventer in my life ;)
Regards,
Michel
On Thu, 2011-01-27 at 10:40 -0500, m.roth@5-cent.us wrote:
We also run fail2ban at work. Very nice, installs (along with shorewall), and creates a temporary blacklist, blocking an IP that's tried five, I think, times to break in. All configurable, btw.
Thanks. I'll add that to the list to do.
Restricted to a few IP addresses is good; the fewer the better.
Currently 3 static IPs.
<G>
I'm definitely not going to let the b**** get in easily :-) The Russians appear the worse with their port 445 scanning.
On Thu, Jan 27, 2011 at 10:40:14AM -0500, m.roth@5-cent.us wrote:
We also run fail2ban at work. Very nice, installs (along with shorewall), and creates a temporary blacklist, blocking an IP that's tried five, I think, times to break in. All configurable, btw.
There is also denyhosts, which performs a very similar function. I believe both are available from the rpmforge repository (and probably in EPEL too if you prefer that repo).
--keith
m.roth@5-cent.us wrote:
Always Learning wrote:
...
Blush, blush .... access is on a non-standard port and then restricted to a few IP addresses. I don't want my servers taken over by others.
Security through obscurity doesn't work. Are you familiar with nmap?
If port scanning is a concern, how about implementing port-knocking?
(Granted, it's not always practical.)
On Thu, Jan 27, 2011 at 6:40 AM, Stephen Harris lists@spuddy.org wrote:
On Thu, Jan 27, 2011 at 02:39:29AM -0500, Nico Kadel-Garcia wrote:
Wrong again. Never use public key access for root accounts, it simply compounds the security risks. Passphrase protected SSH keys can be
That is 100% backwards. *NEVER* use password authentication for root (passwords are easier to brute force 'cos people choose bad passwords). Use ssh public key access for root, with appropriate restrictions (eg "from=").
Nope. Ideally, use *neither* for root. Allow root access only from the local console or a local shell with "su", or "sudo" if you want to share access. That provides much superior tracking of the root access and whose account was used for the inappropriate access.
Remote root access in SSH should be avoided altogether, but if necessary, the SSH keys can be a big issue becuase of people who give exactly the advice we just saw. "Generate an unprotected key and publish it to the root account!" is, unfortunately, far too common, and we just saw someone suggest *exactly* that.
Root does not, generally, need password-free access. If it does, SSH keys can provide some restrictions on it, as can sudo for other accounts to allow them only specific root activities. But root access without making you actually put in a password and think about what you're doing is *begging* for pain.
In fact, the likely pain is only partially from stolen keys. It's also from people doing things as root without thinking about them, and making mistakes.
On Thu, 2011-01-27 at 02:39 -0500, Nico Kadel-Garcia wrote:
Also, there's a stack of reasons that DSA is preferred to RSA for SSH keys these days. When you generate your private keys, use "ssh-keygen -t dsa", not rsa.
RSA is the default if no cypher type is declared on the command line.
I've taken your helpful advise and replaced the RSA key with a DSA key; put a passphrase on the key and then did a SSH-ADD which automatically recognised the new key and added it.
On 01/27/2011 01:39 AM, Nico Kadel-Garcia wrote:
Also, there's a stack of reasons that DSA is preferred to RSA for SSH keys these days. When you generate your private keys, use "ssh-keygen -t dsa", not rsa.
Care to elaborate on that? Searching, I find mostly a "stack of reasons" for preferring RSA now that its patent has expired, e.g.:
* DSA is critically dependent on the quality of your random number generator. Each DSA signature requires a secret random number. If you use the same number twice, or if your weak random number generator allows someone to figure it out, the entire secret key is exposed.
* DSA keys are exactly 1024 bits, which is quite possibly inadequate today. RSA keys default to 2048 bits, and can be up to 4096 bits.
Reasons for preferring DSA for signatures are less compelling:
* RSA can also be used for encryption, making it possible for misguided users to employ the same key for both signing and encryption.
* While RSA and DSA with the same key length are believed to be just about identical in difficulty to crack, a mathematical solution for the DSA discrete logarithm problem would imply a solution for the RSA factoring problem, whereas the reverse is not true. (A solution for either problem would be HUGE news in the crypto world.)
on 10:15 Thu 27 Jan, Robert Nichols (rnicholsNOSPAM@comcast.net) wrote:
On 01/27/2011 01:39 AM, Nico Kadel-Garcia wrote:
Also, there's a stack of reasons that DSA is preferred to RSA for SSH keys these days. When you generate your private keys, use "ssh-keygen -t dsa", not rsa.
Care to elaborate on that? Searching, I find mostly a "stack of reasons" for preferring RSA now that its patent has expired, e.g.:
DSA is critically dependent on the quality of your random number generator. Each DSA signature requires a secret random number. If you use the same number twice, or if your weak random number generator allows someone to figure it out, the entire secret key is exposed.
DSA keys are exactly 1024 bits, which is quite possibly inadequate today. RSA keys default to 2048 bits, and can be up to 4096 bits.
Reasons for preferring DSA for signatures are less compelling:
RSA can also be used for encryption, making it possible for misguided users to employ the same key for both signing and encryption.
While RSA and DSA with the same key length are believed to be just about identical in difficulty to crack, a mathematical solution for the DSA discrete logarithm problem would imply a solution for the RSA factoring problem, whereas the reverse is not true. (A solution for either problem would be HUGE news in the crypto world.)
The main argument against RSA keys was the RSA patent.
It's expired.
Go RSA.
On Thu, Jan 27, 2011 at 12:33:31PM +0530, Indunil Jayasooriya wrote:
# ssh-keygen -t rsa ( passphrase should be empty )
Don't use passphraseless keys unless you're using it for an automated tool (eg rsync kicked off from cron). If this is for human interactive work then learn how to use ssh-agent.
(If it's for programmatic use then also learn the from= and command= options on the public key to restrict what the key can do)
On Thu, 2011-01-27 at 12:33 +0530, Indunil Jayasooriya wrote:
you expect Passwordless SSH. If so,
I wanted a quick effortless automated log-on.
# ssh-keygen -t rsa ( passphrase should be empty )
Yes I did exactly that but following advice from this mailing list have changed to DSA and imposed a passphrase.
# cd /root/.ssh/
Pls scp id_rsa.pub to the Server
# scp id_rsa.pub root@server:/root/.ssh/authorized_keys
I used Nautilus to transfer the files. Copied the file from my machine and pasted it into the server's directory. I have the servers as bookmarks in Nautilus. After entering the password for my machine's keyring, only once per session, entering the remote server is instant and easy. However terminal access is still needed sometimes for re-starting services, iptables and changing ownership - hence my need for SSH command line access to the servers.
on 14:50 Thu 27 Jan, Always Learning (centos@g7.u22.net) wrote:
On Thu, 2011-01-27 at 12:33 +0530, Indunil Jayasooriya wrote:
you expect Passwordless SSH. If so,
I wanted a quick effortless automated log-on.
That's what ssh-agent gives you.
If you invoke a command under ssh-agent, that comamnd (and all its children) inherit ssh-agent's environment, which includes the SSH_AUTH_SOCK variable, pointing to the authentication socket.
Only that user (or root, and you trust root, right) can access this socket.
For convenience (and some risk), you can also enable agent-forwarding (I prefer doing this to a limted set of hosts or domains). This would enable you to say:
ssh from localhost to adminbox.datacenter.example.com ssh from adminbox.datacenter.example.com to other hosts within the DC.
Very handy if you need to run quick commands, git pulls/pushes, scp, rsync, etc., within the DC, without having to constantly re-type your password.
Of course, the more often you type your password, the more memorable it becomes.
# ssh-keygen -t rsa ( passphrase should be empty )
Yes I did exactly that but following advice from this mailing list have changed to DSA and imposed a passphrase.
Either works. RSA takes merits. Password SHOULD be provided.
On 27/01/2011, at 7:45 PM, Always Learning wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
I created my SSH keys and copied the public part to the server and renamed it authorized_keys.
server /root/.ssh
id_rsa.authorized_keys -rw--------
Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)
Also, it should be named authorized_keys, not id_rsa.authorized_keys
PS. Coming from a background in other distributions, I find it disturbing that Centos ships with allow_root_login defaulting to yes. If you really need this, ensure that you also restrict access from where people can log in, consider employing dynamic banning, and harden your sshd_config (which, oddly enough, you didn't post).
PPS. When diagnosing such faults, it can be useful to run the sshd (ie. the server process) in debugging mode, although this would generally require the server to be temporarily disabled so it can be started in debugging mode.
On Thu, Jan 27, 2011 at 2:35 AM, Cameron Kerr cameron@humbledown.org wrote:
On 27/01/2011, at 7:45 PM, Always Learning wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
I created my SSH keys and copied the public part to the server and renamed it authorized_keys.
server /root/.ssh
id_rsa.authorized_keys -rw--------
Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)
No, 0600 is *fine* In fact that is the recommended permission from the man page for "ssh". OpenSSH does a bit of UID and EUID manipulation to gain permissions to examine that file as the user whose login is being attempted, precisely to deal with NFS mounted home directories which do not allow "root" direct access to protected files.
On Thu, Jan 27, 2011 at 2:46 AM, Nico Kadel-Garcia nkadel@gmail.com wrote:
On Thu, Jan 27, 2011 at 2:35 AM, Cameron Kerr cameron@humbledown.org wrote:
On 27/01/2011, at 7:45 PM, Always Learning wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
I created my SSH keys and copied the public part to the server and renamed it authorized_keys.
server /root/.ssh
id_rsa.authorized_keys -rw--------
Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)
No, 0600 is *fine* In fact that is the recommended permission from the man page for "ssh". OpenSSH does a bit of UID and EUID manipulation to gain permissions to examine that file as the user whose login is being attempted, precisely to deal with NFS mounted home directories which do not allow "root" direct access to protected files.
But, the name of the file with a copy of your public key should be $HOME/.ssh/authorized_keys. And the permissions of $HOME/.ssh should be 0700.
On Thu, 2011-01-27 at 02:48 -0500, Nico Kadel-Garcia wrote:
On 27/01/2011, at 7:45 PM, Always Learning wrote:
server /root/.ssh
id_rsa.authorized_keys -rw--------
But, the name of the file with a copy of your public key should be $HOME/.ssh/authorized_keys. And the permissions of $HOME/.ssh should be 0700.
1. logging-on to the remote server as root.
2. server:-
drwx------ 2 root root 4096 Jan 27 03:23 .ssh
-rw------- 1 root root 404 Jan 27 03:23 id_rsa.authorized_keys
OK ?
On 01/27/11 5:46 AM, Always Learning wrote:
-rw------- 1 root root 404 Jan 27 03:23 id_rsa.authorized_keys
how many times do you have to be told that the filename is authorized_keys, NOT id_rsa.authorized_keys
for someone who claims to have been in IT since the 1960s, you don't seem to pay much attention, and waste 100 messages on something generic and trivial for which there are 100s of 'HOWTOs' online.
On Thu, 2011-01-27 at 07:35 -0800, John R Pierce wrote:
On 01/27/11 5:46 AM, Always Learning wrote:
-rw------- 1 root root 404 Jan 27 03:23 id_rsa.authorized_keys
how many times do you have to be told that the filename is authorized_keys, NOT id_rsa.authorized_keys
Once. How many times do you have to be told things ?
My posting was made, if you look at the headers, before I read a posting from another informing me the file name was incorrectly prefixed.
As soon as I read the second posting I altered the file name, discovered everything worked perfectly and posted a very grateful response - you may have read it. (hint: *********** BINGO ********* )
for someone who claims to have been in IT since the 1960s, you don't seem to pay much attention, and waste 100 messages on something generic and trivial for which there are 100s of 'HOWTOs' online.
Have a nice day.
If pw less access is something you prefer use a kerberos based service like FreeIPA/RedhatIPA. No need for ssh keys, and pw aren't stored locally. You can log in as a regular user and sudo su - to root, which can be done during ssh login: ssh -t user@host sudo su -
David
On Jan 27, 2011, at 1:35 AM, Cameron Kerr cameron@humbledown.org wrote:
On 27/01/2011, at 7:45 PM, Always Learning wrote:
Hallo,
I wanted to avoid typing-in my password every occasion I remotely logged-on to a server.
I created my SSH keys and copied the public part to the server and renamed it authorized_keys.
server /root/.ssh
id_rsa.authorized_keys -rw--------
Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)
Also, it should be named authorized_keys, not id_rsa.authorized_keys
PS. Coming from a background in other distributions, I find it disturbing that Centos ships with allow_root_login defaulting to yes. If you really need this, ensure that you also restrict access from where people can log in, consider employing dynamic banning, and harden your sshd_config (which, oddly enough, you didn't post).
PPS. When diagnosing such faults, it can be useful to run the sshd (ie. the server process) in debugging mode, although this would generally require the server to be temporarily disabled so it can be started in debugging mode. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2011-01-27 at 06:57 -0600, David Christensen wrote:
If pw less access is something you prefer use a kerberos based service like FreeIPA/RedhatIPA. No need for ssh keys, and pw aren't stored locally. You can log in as a regular user and sudo su - to root, which can be done during ssh login: ssh -t user@host sudo su -
Thanks David. My problem happened because I wrong prefixed the server's key with id_rsa. Have since changed to DSA keys and everything works well.
Hi all,
I am new at setting up icecastand was wondering if someone cold point me to a guide on how to do so on cent 5.5 or give my instructions
Best mike
I run the CreekFM streaming audio server on icecast and ices. (You can find it at www.creekfm.com.) It runs on Centos 5. Do you have any specific questions?
On Thu, 27 Jan 2011 09:02:56 -0600 mike cutie and maia wrote:
Hi all,
I am new at setting up icecastand was wondering if someone cold point me to a guide on how to do so on cent 5.5 or give my instructions
Best mike
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Please do not hijack threads. If you want to send a new message to the list then do NOT reply to a message. Also, I ask that you first try to install icecast and *then* come to the list if you encounter problems. This is not an all-purpose support list. Thanks.
Kai
On 01/27/2011 09:00 AM, Always Learning wrote:
On Thu, 2011-01-27 at 06:57 -0600, David Christensen wrote:
If pw less access is something you prefer use a kerberos based service like FreeIPA/RedhatIPA. No need for ssh keys, and pw aren't stored locally. You can log in as a regular user and sudo su - to root, which can be done during ssh login: ssh -t user@host sudo su -
Thanks David. My problem happened because I wrong prefixed the server's key with id_rsa. Have since changed to DSA keys and everything works well.
Ya sorry I was jumping on the band wagon about not using ssh-keys with the root login or allowing root login at all. Its usually a dir/file permissions thing when it comes to using keys.
You should look into getting away from using ssh-keys unless absolutely necessary and look at centralized authentication/authorization; of course if your env is large enough to warrant it. Kerberos can provide the same sort of password less access as ssh-keys.
Anyway good luck.
David
On Thu, 2011-01-27 at 20:35 +1300, Cameron Kerr wrote:
Also, it should be named authorized_keys, not id_rsa.authorized_keys
**************** B I N G O **************
I can now log-in with just my home made command .s2
Thanks a lot.
That cured it. Brilliant.
Many thanks again.
-
Always Learning -
Cameron Kerr -
David -
David Christensen
-
Dr. Ed Morbius -
Frank Cox -
Indunil Jayasooriya -
John Hodrien -
John R Pierce -
Kai Schaetzl -
Keith Keller -
m.roth@5-cent.us -
Michael Klinosky -
Michel van Deventer -
mike cutie and maia -
Nico Kadel-Garcia -
Patrick Lists -
Robert Nichols -
Stephen Harris