Re: Debian default ssh configuration problem with public/private key checking
Thanks for the respond Andrew,
On Fri, 22 Jun 2007 13:50:17 -0700, Andrew Sackville-West wrote:
>> I'm trying to setup Debian to accept my remote ssh
>> login. No problem with that, but I'm facing a
>> configuration problem:
>>
>> It doesn't seem to be able to handle/accept the public/private key
>> checking, i.e.,what sourceforge.net is doing [1], but insists on checking
>> login password [2], which is not a recommended practice.
>>
>> This is a vanilla sshd configuration. I.e., everything from Debian default.
>> What changes should I make to enable the public/private key Authentication?
>
> from /etc/ssh/sshd_config:
>
> RSAAuthentication yes
> PubkeyAuthentication yes
>
> [....]
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication no
>
> # Change to yes to enable tunnelled clear text passwords
> PasswordAuthentication no
I didn't have the PubkeyAuthentication, the man page says it is yes by
default. But I added all the same. Here is my current config, without
disabling the PasswordAuthentication yet:
-------------------------------------------------
% grep -E1
'^RSAAuthentication|PubkeyAuthentication|PermitEmptyPasswords|ChallengeResponseAuthentication|^PasswordAuthentication'
/etc/ssh/sshd_config #
RSAAuthentication yes
PubkeyAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
-------------------------------------------------
Here is how I tested:
(would testing locally be ok?)
-------------------------------------------------
# make changes to /etc/ssh/sshd_config, adding PubkeyAuthentication
/etc/init.d/ssh restart
ssh-copy-id -i ~/.ssh/id_rsa.pub tong@localhost
$ ssh -v localhost
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3p2 Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
[...]
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/tong/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/tong/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
-------------------------------------------------
Anything else is wrong?
hmm, why "Remote protocol version 1.99", instead of 2? Ah, never mind,
sourceforge.net says the same thing too. BTW, it is still using v3.9p1.
--
Tong (remove underscore(s) to reply)
http://xpt.sf.net/techdocs/
http://xpt.sf.net/tools/
Reply to: