[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Cannot authenticate with DSA-pubkey in Etch

On Fri, Feb 08, 2008 at 11:43:15AM +0100, Christopher Bianchi wrote:
> i wish to connect my laptop to my server with a ssh pubkey and no
> password. The procedure that i use to create the key pair and setting
> permission on the directories (.ssh/) on laptop and server, are correct.

I've put some comments within your file.  Then I've included my
sshd_config file.  I use this, then follow the instructions in the
Debian-Reference under ssh without passwords.  It works.

I hope this helps.


> I think that it's a possible error in sshd_config. 
> **** sshd_config *****************************************************
> # What ports, IPs and protocols we listen for
> Port 10022

Are both machies using the same port?
> # Authentication:
> LoginGraceTime 1m
> PermitRootLogin no
> StrictModes yes

As long as its not root that is the trouble.

> # Max number of login attempts for a single connection
> MaxAuthTries 3
> RSAAuthentication no

Shouldn't this be yes?

> PubkeyAuthentication yes
> AllowGroups sshusers

Is the user trying to ssh in sshusers on both boxes?

> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> #MaxStartups 10:30:60
> Banner /etc/issue.net
> Subsystem sftp /usr/lib/openssh/sftp-server
> UsePAM no

I have UsePAM yes

> MaxStartups 2

[snip debug:  I've never needed it so I've never read one before]

For comparison, here's my sshd_config:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
####### added by dtutty after ~/.ssh/authorized_keys updated
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

### added by dtutty (ref lskb on ssh, man sshd_config)
AllowGroups ssh
ClientAliveInterval 15

UsePAM yes

Reply to: