I would like to have secure shell running on my three Linux Mint boxes. I have the ssh server successfully installed. Now, over ten years ago, in my job, I set up ssh on Solaris unix servers quite often but my memory of the process is vague.
What I don’t remember at all is whether the .ssh directory under the home directory was already present or if it is created with a command that also populates it with files authorized_keys and known_hosts. I do remember invoking the ssh-keygen file and copying over public key files.
Can someone show me how it is these files are generated, as well as pertinent information such as permission settings? Might there be a site that goes through the process?
Use “ssh-keygen” to create the $HOME/.ssh “id” files. I use “ssh-keygen -t rsa” and when it’s completed the files in ~/.ssh are id_rsa and id_rsa.pub.
If I want to ssh to another system and not be prompted for my password, the contents of id_rsa.pub need to be added to ~/.ssh/authorized_keys on the remote system. The mode on ~/.ssh/authorized_keys must be 600, I believe - read/write only for owner.
The ~/.ssh/known_hosts file will get created and entries will be added automatically when I ssh to a remote system.
I know this is a short answer, but I just woke up a bit ago and haven’t had coffee yet.
When I ran ‘ssh-keygen -t rsa’ ( generate an ssh key of type RSA ), part of the dialog asks where to put the key once it’s created. The default location is ~/.ssh and if the .ssh directory doesn’t exist it will be created. See the line in bold below.
john@mint-beta:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa): Created directory ‘/home/john/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_rsa
Your public key has been saved in /home/john/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wc4InqQIOKNYe3WUXbrh2xC3hBQp7MbT+Ho29hMvCMQ john@mint-beta
The key’s randomart image is:
±–[RSA 3072]----+
| …oo+. |
|. o+.oo |
|= . o .+++= o |
|+= = + =Eo.* . |
|+ o + .oSo+ . |
| . . .+. |
| o…o |
| . * o . |
| + o.o |
±—[SHA256]-----+
I’ve made a lot of progress but have to figure out one last thing, I think.
For my three linux boxes, I have ssh server installed. Keys generated. Files known-hosts and authorized_keys created with the needed information for the other servers. Successfully logged in via ssh and secure copied files.
However, I still need to provide password for login. I thought having authorized_keys with the public key of the server logging in would take care of that, but no (and I restarted ssh to be sure).
I have to go on to other things.
Thanks again. I had no idea that ssh-keygen created the .ssh directory.
Hmm, that’s interesting. I use these steps to allow password-less ssh into my linux systems. Perhaps something in /etc/ssh/sshd_config needs to be modified? Are you attempting to login as a normal user or as root? If root, then a modification will need to be done on this line, as in remove the comment character and change ‘prohibit-password’ to 'yes.
#PermitRootLogin prohibit-password
Another suggestion is to check these lines - if they are un-commented then the ssh key(s) needs to be in these locations, or comment these lines out and the default will be ~/.ssh/ :
Try runnihg ssh -v user@host, where user is the username you’re using & host is the target system. The -v flag will tell ssh to be verbose when creating the connection. When I ssh to a system with -v I see this near tthe bottom of the verbose output - /home/john/.ssh/authorized_keys:2 refers to line 2 of the file on the remote system:
debug1: Remote: /home/john/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/john/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LANG = “en_US.UTF-8”
debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disregarding
debug1: update_known_hosts: known hosts file /home/john/.ssh/known_hosts2 does not exist
Last login: Mon Mar 11 08:31:50 2024 from 192.168.15.91
I am making progress. The hostnames to my boxes are rohan, fangorn, and valar (yeah, I like Lord of the Rings, etc.).
rohan can get into fangorn and valar with no password entry and fangorn can get into rohan and valar with no password entry. What I needed was logging on the server side.
From /var/log/auth.log
86 Mar 10 12:36:18 rohan sshd[57719]: Authentication refused: bad ownership or modes for file /home/tony/.ssh/authorized_keys
After I changed its permission to 600, rohan and fangorn worked.
I still cannot get into rohan or fangorn from valar and unsure why.
Are all systems configured the same? Compare /etc/ssh/sshd_config across them and ensure they are in sync ( or N’Sync ). I ask this as perhaps RSA cipher is not allowed / defined. Just a thought.
Wow, I typed a paragraph and (somehow) the entire text got removed. Not an unusual occurrence for me with linux and NEVER happened with windows or Mac. I am writing this on LibreOffice Writer and then I will copy/paste. Does it here as well, but I can “undo.”
I can deal with it but it is a major liability for me with linux.
Anyway, I don’t think I reported my findings inaccurately but for a while here is my status.
I can ssh into rohan and fangorn without password required but not so with valar. I even included ssh’ing into each one’s own box and same result.
I get the same error (from /var/log/auth.log - server side): Authentication refused: bad ownership or modes with file /home/tony/.ssh/authorized_keys
and so machine hostname valar refuses authentication for file authorized_keys in every box, including its own.
Thanks for your excellent suggestion. Files sshd_config are identical across machines. Same size and I did up the comm command with the file from rohan and valar.
At a loss right now. The file has the same permissions in each box. I’ll look into what a mode is. Maybe for some reason valar rejects for whatever that is.