Long time no hear! On Thu, May 02, 2002 at 09:25:47AM +0100, Dougie Nisbet wrote: > On Wednesday 01 May 2002 11:47 pm, David Z Maze wrote: > > > Run ssh-keygen(1) to generate a public/private keypair. These should > > wind up in $HOME/.ssh, as identity and identity.pub. Use scp to copy > > the identity.pub file to the target machine, and cat it on to the end > > of $HOME/.ssh/authorized_keys. (It's possible that you might not have > > a .ssh directory; if not, create it, and run 'chmod 0700 .ssh'.) > > > > Now, when you log in, make sure you're running an ssh-agent(1) > > process. (This happens by default when you log in to X, I believe.) > > Run ssh-add(1); this will prompt you for the pass-phrase for the ssh > > key, and register it with the agent. Now when you run ssh, it will > > get the private key from the agent and use that to authenticate you to > > the remote machine (with no password). > > Thanks for the quick guide. I decided to apt-get remove anything that > remotely resembled anything to do with ssh, and start again. I also manually > removed /etc/ssh* and ~/.ssh* as they affected the behaviour of ssh. > > Then I did apt-get install ssh, and immediately I'm confused. The output was: > > root@guestw:~# apt-get install ssh > Reading Package Lists... Done > Building Dependency Tree... Done > The following NEW packages will be installed: > ssh > 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. > Need to get 0B/600kB of archives. After unpacking 1352kB will be used. > Preconfiguring packages ... > Selecting previously deselected package ssh. > (Reading database ... 69032 files and directories currently installed.) > Unpacking ssh (from .../ssh_1%3a3.0.2p1-9_i386.deb) ... > Setting up ssh (3.0.2p1-9) ... > Creating SSH2 RSA key > Creating SSH2 DSA key > Restarting OpenBSD Secure Shell server: sshd. > > That looks to me like it's installing ssh2, and not ssh. I'm not sure of what > the differences are, but I'm not sure what I've got installed; ssh, or ssh2, > or both, and whether that is important. A bit of confusion here: There a different implementations of ssh; openssh (which I suspect most would recommend here. In debian its just the ssh package) and a few proprietory varieties as well. Each of them have their own version numbering scheme and are unlikely to be in sync. You ended up with ssh (=openssh) version 3.0.2. Good. There is also (at least) 2 versions of the ssh *protocol* (yes; you guessed it: version 1 and version 2). The version 2 protocol lacks a couple of (minor) security holes in protocol version 1 (don't ask me which ones). The different versions of the protocol uses different key types; what happened for you was that it generated the version 2 host keys in the set-up. (which is good). > Curiously, the output of installing it on the laptop is slightly different. > It appears to have set a SSH1 key. (NB: The laptop is 'vaiow', the server is > 'guestw'). The output from installing on the laptop is: > > > root@vaiow:~# apt-get install ssh > Reading Package Lists... Done > Building Dependency Tree... Done > The following NEW packages will be installed: > ssh > 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. > Need to get 0B/600kB of archives. After unpacking 1352kB will be used. > Preconfiguring packages ... > Selecting previously deselected package ssh. > (Reading database ... 61637 files and directories currently installed.) > Unpacking ssh (from .../ssh_1%3a3.0.2p1-9_i386.deb) ... > Setting up ssh (3.0.2p1-9) ... > Creating SSH1 key > Creating SSH2 RSA key > Creating SSH2 DSA key > Restarting OpenBSD Secure Shell server: sshd > > Notice the extra line: 'Creating SSH1 key' !? Perhaps you didn't purge everything? As far as I can see from /var/lib/dpkg/info/ssh.postinst this should be dependent on answers given during configuration. Those answers are stored by debconf, which you presumably didn't purge. (Some day I got to find out where it is! RTFM time). I presume that # dpkg-reconfigure --priority=low ssh would walk you through *all* of the config questions, rather than just the never-asked-before ones (which is the default). > I then use ssh-keygen to create my public/private pairs, and scp the public > to guestw. I cat it to the end of authorized keys. guestw looks like this: > > dougie@guestw:~$ ls -ld .ssh > drwx--S--- 2 dougie dougie 4096 May 2 09:01 .ssh > dougie@guestw:~$ ls -l .ssh > total 16 > -rwx------ 1 dougie dougie 995 May 2 09:01 authorized_keys > -rw------- 1 dougie dougie 528 May 2 08:34 identity > -rw-r--r-- 1 dougie dougie 332 May 2 08:34 identity.pub > -rw-r--r-- 1 dougie dougie 455 May 2 09:01 known_hosts > > dougie@guestw:~$ ps -ef | grep agent > dougie 361 332 0 08:52 ? 00:00:00 /usr/bin/ssh-agent > x-session-manager > > > I had a bit of a problem initially with ssh-agent, as it has to be run on the > machine itself. So I have to run around the house to go to each PC and type > it in, rather than from a telnet session. i.e. The telnet session produces: > dougie@guestw:~$ ssh-add > Could not open a connection to your authentication agent. !? You should only need ssh-agent running on the machine where *you* sit. However, for processes to talk to ssh-agent, they need a couple of environment variables and whathaveyou. I put this in my ~/.xsession eval $( ssh-agent ) (where to put this depends on how you start X. My gdm is set up to use xsession for me. I like the control). This ensures that anything I start will inherit the correct environment. I still have to ssh-add my keys in (and type my passphrase), but that's only once per login (= 3-4 weeks in my case) Provided: - the ssh-agent is running - you shell has the correct environment variables set - you have ssh-add'ed your key - your public key is in target-machine:~somebody/.ssh/authorized_keys then you should be able to ssh to target-machine without being bothered by passphases or passwords. Straight in. > [ Debug snipped ] > > > So close, but no cigar! My reading of the output is that it's using SSH2, and > it won't find the keys: /home/dougie/.ssh/id_rsa. These look like SSH2 files. > But I have just done apt-get install ssh, so I'm not sure what I've got > installed, or what the difference is. Yep. I had the same problem once upon a time. Look into the -t option on ssh-keygen and use either 'rsa' or 'dsa'. It *is* inconsistent that everybody recommends ssh protocol version 2, but the default for ssh-keygen is to generate version 1 keys... -- Karl E. Jørgensen karl@jorgensen.com www.karl.jorgensen.com ==== Today's fortune: There are 3 kinds of people: those who can count & those who can't. -- Unknown source
Attachment:
pgpn23yoLJe2i.pgp
Description: PGP signature