SSH Help

[rannday]

I'm having issues with openssh and Putty and private keys. I've tried creating the key in debian and within Putty, but neither work.

I don't know if this is the right way, but say I created the key files in Putty and there names are key.ppk and key.pub, what would be the steps I take from there?

So far, I've tried copying those key files to /root/.ssh/ and adding the line AuthorizedKeysFile %h/.ssh/key.ppk, but it doesn't work. I always get server refused our key.

If someone could be so kind as to walk me through the proper steps of using a public/private key pair to log in to my ssh server, it would be much appreciated. Please don't like to other tutorials. I've been all over the web searching for an answer, but nothing has helped.

[Krendoshazin]

The first step in setting up SSH keys is to generate the keys themselves. This can be done with

Code:

ssh-keygen -b 4096 -t rsa

-b tells it how many bits you want -- otherwise known as the strength of the key -- and -t tells it what type of encryption you want. In this case it's RSA. This process will create two keys in ~/.ssh. In this case these keys are id_rsa and id_rsa.pub. The key generation process will tell you the names of the files it is going to create.

So now we have a key pair: one public key and one private key. The idea of the key pair is that you put the public key onto the machine you want to SSH into, and keep the private key on your personal machine. If the machine you SSH into were ever compromised, that person would not be able to do anything with the information as the public key alone is useless. We need to get the public key on to the target machine and we'll use scp for this task

Code:

bash-4.2$ scp id_rsa.pub 172.24.10.2:
krendoshazin@172.24.10.2's password: 
id_rsa.pub                                    100%  749     0.7KB/s   00:00

id_rsa.pub will now be in the home directory of krendoshazin on the target machine.

Code:

bash-4.2$ ssh 172.24.10.2
krendoshazin@172.24.10.2's password: 
krendoshazin@webserver:~$ ls
httpd-2.4.3/  id_rsa.pub

If .ssh does not exist in the user's home directory, then create it and copy the file over. The public key then needs to be added to authorized_keys

Code:

krendoshazin@webserver:~$ cd .ssh
krendoshazin@webserver:~/.ssh$ mv ../id_rsa.pub .
krendoshazin@webserver:~/.ssh$ ls
id_rsa.pub
krendoshazin@webserver:~/.ssh$ cat id_rsa.pub >> authorized_keys

Your key should now be authorized for passwordless logins. Log out of the account and log back in again

Code:

bash-4.2$ ssh 172.24.10.2
Last login: Sun Jan 20 10:48:43 2013 from darkstar.corp.enterprise.local
Linux 2.6.37.6-smp.
krendoshazin@webserver:~$

As you can see, no password prompt was presented and I have been granted access straight into the machine.

If you use different accounts on different machines, follow this same process for that account and then add your users to ~/.ssh/config as follows:

Code:

Host testserver
User testuser

Host 172.24.10.2
User anotheruser

SSH by default uses the name of the account you're currently using. This will allow you to ssh just using the machine name and go straight in to that account.

Finally if you want to be really secure, you can disable password authentication in /etc/ssh/sshd_config (location may vary) and set PasswordAuthentication to no.

I hope that helps.

[Irithori]

To add to Krendoshazin´s information:
Between linux machines, you can copy your public key via "ssh-copy-id".
This is more comfortable than copying and creating dirs/files yourself.

Also: putty uses a different format than openssh.
So if you want to connect from your windows/putty box to a linux machine,
then you need to convert the openssh private key to a ppk with PuTTYgen.

Other than that, it is good practice to have a strong passphrase on your private key, regardless if it is in openssh or ppk format.

[rannday]

What I had to do to get Putty working with openssh on my Debian box was to create a key pair in Puttygen. Then I copied the public key to Debian, edited it by removing the ---- BEGIN SSH2 PUBLIC KEY ----, the next Comment: "" line, the last ---- END SSH2 PUBLIC KEY ----. Then I added ssh-rsa to the beginning, made the entire file one line, and added me@mydomain.com at the end. It wasn't really me@mydomain.com, but my username and my domain name. Now it works! Yay! I even followed this one site's suggestions for securing it and it still works! Yay!

[rannday]

Now I'm getting another annoying error. Oh how SSH hates me and my lack of knowledge about it. I used these steps to take my Putty made key and convert it to OpenSSH format.

Open PuttyGen
Click Load
Load your private key
Go to Conversions->Export OpenSSH and export your private key
Copy your private key to ~/.ssh/id_dsa (or id_rsa).
Create the RFC 4716 version of the public key using ssh-keygen

ssh-keygen -e -f ~/.ssh/id_dsa > ~/.ssh/id_dsa_com.pub

Convert the RFC 4716 version of the public key to the OpenSSH format:

ssh-keygen -i -f ~/.ssh/id_dsa_com.pub > ~/.ssh/id_dsa.pub

So now in /home/me/.ssh/ I have id_rsa_com.pub id_rsa_old.pub id_rsa.pub. I open Remote Desktop Client and edit a new SSH connection. For my "Identity File" I select my id_rsa.pub, type the server address, and try to connect, but it gives me this error.

SSH public key authentication failed: Public key file doesn't exit

Not really even sure if it means it doesn't exist on my server or on my client. I can connect through Putty within Windows.

EDIT: I can ssh through the command line using ssh -i id_rsa me@server, but not through this Remote Desktop Client tool. Maybe command line is good enough.