Getting Secure Shell Going On My Linux Boxes

Hi,

I would like to have secure shell running on my three Linux Mint boxes. I have the ssh server successfully installed. Now, over ten years ago, in my job, I set up ssh on Solaris unix servers quite often but my memory of the process is vague.

What I don’t remember at all is whether the .ssh directory under the home directory was already present or if it is created with a command that also populates it with files authorized_keys and known_hosts. I do remember invoking the ssh-keygen file and copying over public key files.

Can someone show me how it is these files are generated, as well as pertinent information such as permission settings? Might there be a site that goes through the process?

Use “ssh-keygen” to create the $HOME/.ssh “id” files. I use “ssh-keygen -t rsa” and when it’s completed the files in ~/.ssh are id_rsa and id_rsa.pub.

If I want to ssh to another system and not be prompted for my password, the contents of id_rsa.pub need to be added to ~/.ssh/authorized_keys on the remote system. The mode on ~/.ssh/authorized_keys must be 600, I believe - read/write only for owner.

The ~/.ssh/known_hosts file will get created and entries will be added automatically when I ssh to a remote system.

I know this is a short answer, but I just woke up a bit ago and haven’t had coffee yet.

Hey, that’s great!

Just wondering. Does some command create the .ssh directory or is the usual procedure that the user does so on the command line?

Thanks again!

When I ran ‘ssh-keygen -t rsa’ ( generate an ssh key of type RSA ), part of the dialog asks where to put the key once it’s created. The default location is ~/.ssh and if the .ssh directory doesn’t exist it will be created. See the line in bold below.

john@mint-beta:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
Created directory ‘/home/john/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_rsa
Your public key has been saved in /home/john/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wc4InqQIOKNYe3WUXbrh2xC3hBQp7MbT+Ho29hMvCMQ john@mint-beta
The key’s randomart image is:
±–[RSA 3072]----+
| …oo+. |
|. o+.oo |
|= . o .+++= o |
|+= = + =Eo.* . |
|+ o + .oSo+ . |
| . . .+. |
| o…o |
| . * o . |
| + o.o |
±—[SHA256]-----+

Fantastic!

Was sidelined for today but will have a go at it tomorrow.

I’ve made a lot of progress but have to figure out one last thing, I think.

For my three linux boxes, I have ssh server installed. Keys generated. Files known-hosts and authorized_keys created with the needed information for the other servers. Successfully logged in via ssh and secure copied files.

However, I still need to provide password for login. I thought having authorized_keys with the public key of the server logging in would take care of that, but no (and I restarted ssh to be sure).

I have to go on to other things.

Thanks again. I had no idea that ssh-keygen created the .ssh directory.

Hmm, that’s interesting. I use these steps to allow password-less ssh into my linux systems. Perhaps something in /etc/ssh/sshd_config needs to be modified? Are you attempting to login as a normal user or as root? If root, then a modification will need to be done on this line, as in remove the comment character and change ‘prohibit-password’ to 'yes.

#PermitRootLogin prohibit-password

Another suggestion is to check these lines - if they are un-commented then the ssh key(s) needs to be in these locations, or comment these lines out and the default will be ~/.ssh/ :

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Try runnihg ssh -v user@host, where user is the username you’re using & host is the target system. The -v flag will tell ssh to be verbose when creating the connection. When I ssh to a system with -v I see this near tthe bottom of the verbose output - /home/john/.ssh/authorized_keys:2 refers to line 2 of the file on the remote system:

debug1: Remote: /home/john/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/john/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LANG = “en_US.UTF-8”
debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disregarding
debug1: update_known_hosts: known hosts file /home/john/.ssh/known_hosts2 does not exist
Last login: Mon Mar 11 08:31:50 2024 from 192.168.15.91

Oh, that verbose option sure is helpful. Thanks!

It finds the public key but seems to not authenticate anyway.

Here’s the output:
tony@fangorn:~$ ssh -v tony@rohan
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to rohan [192.168.40.61] port 22.
debug1: Connection established.
debug1: identity file /home/tony/.ssh/id_rsa type 0
debug1: identity file /home/tony/.ssh/id_rsa-cert type -1
debug1: identity file /home/tony/.ssh/id_ecdsa type -1
debug1: identity file /home/tony/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tony/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tony/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tony/.ssh/id_ed25519 type -1
debug1: identity file /home/tony/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tony/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tony/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tony/.ssh/id_xmss type -1
debug1: identity file /home/tony/.ssh/id_xmss-cert type -1
debug1: identity file /home/tony/.ssh/id_dsa type -1
debug1: identity file /home/tony/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 pat OpenSSH compat 0x04000000
debug1: Authenticating to rohan:22 as ‘tony’
debug1: load_hostkeys: fopen /home/tony/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:38MDm3YdDPQo6NGkPYWhOmtc9S2TeeC5xep9Kca9zu8
debug1: load_hostkeys: fopen /home/tony/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host ‘rohan’ is known and matches the ED25519 host key.
debug1: Found key in /home/tony/.ssh/known_hosts:7
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/tony/.ssh/id_rsa RSA SHA256:L9yU2yAxaUakl/jPEQPOfiTpg7TGuLzYoDYGbHbYBrM agent
debug1: Will attempt key: /home/tony/.ssh/id_ecdsa
debug1: Will attempt key: /home/tony/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tony/.ssh/id_ed25519
debug1: Will attempt key: /home/tony/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tony/.ssh/id_xmss
debug1: Will attempt key: /home/tony/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tony/.ssh/id_rsa RSA SHA256:L9yU2yAxaUakl/jPEQPOfiTpg7TGuLzYoDYGbHbYBrM agent
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/tony/.ssh/id_ecdsa
debug1: Trying private key: /home/tony/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/tony/.ssh/id_ed25519
debug1: Trying private key: /home/tony/.ssh/id_ed25519_sk
debug1: Trying private key: /home/tony/.ssh/id_xmss
debug1: Trying private key: /home/tony/.ssh/id_dsa
debug1: Next authentication method: password
tony@rohan’s password:

I see that it never tries private key /home/tony/.ssh/id_rsa

Don’t know if that is significant.

Anyway, it “sees” the correct publickey but does not authenticate anyway.

I am making progress. The hostnames to my boxes are rohan, fangorn, and valar (yeah, I like Lord of the Rings, etc.).

rohan can get into fangorn and valar with no password entry and fangorn can get into rohan and valar with no password entry. What I needed was logging on the server side.

From /var/log/auth.log

86 Mar 10 12:36:18 rohan sshd[57719]: Authentication refused: bad ownership or modes for file /home/tony/.ssh/authorized_keys

After I changed its permission to 600, rohan and fangorn worked.

I still cannot get into rohan or fangorn from valar and unsure why.

Are all systems configured the same? Compare /etc/ssh/sshd_config across them and ensure they are in sync ( or N’Sync ). I ask this as perhaps RSA cipher is not allowed / defined. Just a thought.

Wow, I typed a paragraph and (somehow) the entire text got removed. Not an unusual occurrence for me with linux and NEVER happened with windows or Mac. I am writing this on LibreOffice Writer and then I will copy/paste. Does it here as well, but I can “undo.”

I can deal with it but it is a major liability for me with linux.

Anyway, I don’t think I reported my findings inaccurately but for a while here is my status.

I can ssh into rohan and fangorn without password required but not so with valar. I even included ssh’ing into each one’s own box and same result.

I get the same error (from /var/log/auth.log - server side):
Authentication refused: bad ownership or modes with file /home/tony/.ssh/authorized_keys

and so machine hostname valar refuses authentication for file authorized_keys in every box, including its own.

Thanks for your excellent suggestion. Files sshd_config are identical across machines. Same size and I did up the comm command with the file from rohan and valar.

At a loss right now. The file has the same permissions in each box. I’ll look into what a mode is. Maybe for some reason valar rejects for whatever that is.

???

Thanks again.

I just copied authorized_keys to authorized_keys2 in valar and now it works! All machines can ssh into valar without a password.

I have no idea why!

Wow, I checked authorized_keys in valar and its permissions were wrong. I could swear I checked them all.

Do I feel dumb!

Boom! Glad your figured it out, those nits can be frustrating…