[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian default ssh configuration problem with public/private key checking

Thanks for the respond Andrew,

On Fri, 22 Jun 2007 13:50:17 -0700, Andrew Sackville-West wrote:

>> I'm trying to setup Debian to accept my remote ssh
>> login. No problem with that, but I'm facing a
>> configuration problem: 
>> 
>> It doesn't seem to be able to handle/accept the public/private key
>> checking, i.e.,what sourceforge.net is doing [1], but insists on checking
>> login password [2], which is not a recommended practice.
>> 
>> This is a vanilla sshd configuration. I.e., everything from Debian default. 
>> What changes should I make to enable the public/private key Authentication?
> 
> from /etc/ssh/sshd_config:
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> 
> [....]
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
> 
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication no
> 
> # Change to yes to enable tunnelled clear text passwords
> PasswordAuthentication no

I didn't have the PubkeyAuthentication, the man page says it is yes by
default. But I added all the same. Here is my current config, without
disabling the PasswordAuthentication yet:

-------------------------------------------------
% grep -E1
'^RSAAuthentication|PubkeyAuthentication|PermitEmptyPasswords|ChallengeResponseAuthentication|^PasswordAuthentication'
/etc/ssh/sshd_config #
RSAAuthentication yes
PubkeyAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no
-------------------------------------------------

Here is how I tested: 
(would testing locally be ok?)

-------------------------------------------------
# make changes to /etc/ssh/sshd_config, adding PubkeyAuthentication
/etc/init.d/ssh restart

ssh-copy-id -i ~/.ssh/id_rsa.pub tong@localhost

$ ssh -v localhost
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3p2 Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
[...]
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/tong/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/tong/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 
-------------------------------------------------

Anything else is wrong? 
hmm, why "Remote protocol version 1.99", instead of 2? Ah, never mind,
sourceforge.net says the same thing too. BTW, it is still using v3.9p1.


-- 
Tong (remove underscore(s) to reply)
  http://xpt.sf.net/techdocs/
  http://xpt.sf.net/tools/
Reply to: