From: Siebert, Aaron (aaron.siebert@nagrastar.com)
Date: Thu Oct 16 2003 - 16:11:07 EDT
Thanks to everyone who responded. There were many great answers but in
the end I figured it out on my own. Here is everyone's responses and the
solution.
1. SSH is very particular about the permissions on the $HOME/.ssh
directory. Ensure these are correct otherwise ssh will not properly read
user configuration options.
2. When troubleshooting problems with SSH or SSHD use the -v (verbose
ssh) -d (debug sshd) to troubleshoot.
3. Always pay particular attention the the ssh SERVERs protocol usage.
Many admins remove protocol 1 from the configuration for security
purposes and the server rejects pre-shared keys authentication
(RSAAuthentication) when only using the identity.pub or rsa key. Here is
a break down of my understanding of the ssh implementation for
RSAAuthencation between protocol 1 and 2.
Protocol 1: must have a rsa1 type key generated and placed in the
$HOME/.ssh/identity and identity.pub files respectively. You must copy
the identity.pub entry to the remote host $HOME/.ssh/authorized_keys
file. In many implementations you will reside behind a NAT firewall thus
hiding proper name resolution. I was forced to edit the authorized_keys
file on the remote host to reflect the host name without domain that was
published on the internet. Even though the host name did not match the
originating key. This will work if protocol 1 is enabled.
Protocol 2: Is a bit more confusing. There are 2 types of keys that you
can generate, rsa and dsa. I believe there was a license/contractual
issue with rsa and dsa was implemented to avoid legal issues. However in
my instance they both worked but you are forced to tell ssh which key
file to use from the client. In most cases I believe it tries to use the
rsa key ($HOME/.ssh/id_rsa and id_rsa.pub) so that is the one I
configured. If a key isn't already generated you must create one using
"ssh-keygen -t rsa". Once created you will have your id_rsa.pub key to
copy to the remote host $HOME/.ssh/authorized_keys file. However I did
read somewhere that in some cases protocol 2 looks in an
$HOME/.ssh/authorized_keys2 file. Mine worked in the first. The same
host name editing applied to protocol to in the authorized_keys file.
TIA
Original
> Managers,
>
> I am working to get RSAAuthentication working between 2 hosts. Both
> are Tru64 4.0g with SSH 2.5.2ps protocols 1.5 and 2. My sshd_config
> file has a RSAAuthentication yes and I have imported both the
> id_rsa.pub and identity.pub key to $HOME/.ssh/authorized_keys
> authorized_keys2 files for the user I would like to connect as.
> However, while authenticating I still receive a prompt for a password.
> What am I missing?
>
> TIA
>
> Aaron Siebert
> Nagrastar Customer Support Engineer
> 303-706-5492 fax 303-706-5719
> Aaron.Siebert@NagraStar.com
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:39 EDT