ssh trusted host logins

Brad Bartram bradbartram at ccsisp.com
Fri May 7 15:46:28 EDT 2004 

Here's something goofy, but make sure that the .ssh directory in both homes is 
0700.  Trusted auth won't work if there is a chance either private key could 
be read by someone else, so ssh will abort the connection and fail to 
password if the permissions aren't correct.

It's been awhile since I've had to set this up but as I recall, the messages 
when this happens aren't terribly helpful.

An gui method of doing this can be using the software secpanel.  The doc is 
horrible and the interface isn't really intuitive, but it does a very 
painless key exchange.

brad

On Friday 07 May 2004 03:21 pm, Darin Perusich wrote:
> Mark T. Valites wrote:
> > How are you generating your keys?
>
> the default keys are generated by the rc scripts which do.
>
> ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
> ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
> ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
>
> > Have you tried throwing a couple '-v's on your ssh connection attempts?
> > Three '-v's should give you pretty verbose outputs.
> > How about perms on the keys? That's bitten me a couple times.
>
> i've been running ssh with -vvv and sshd with -ddd (LogLevel debug3),
> scanning all the output was giving me a head ache so i switched tasks.
> i'm getting messages that the host1 is accepted by shosts.equiv a few
> times then i steps down to password auth.
>
> the file perms for shosts.equiv and ssh_known_hosts2 are 0644 on both
> hosts. i can read both files as a normal user.
>
> >>the configs for both systems (host1 and host2) are identical.
> >>
> >>/etc/ssh/ssh_config
> >>Host *
> >>    ForwardAgent yes
> >>    ForwardX11 yes
> >>    HostbasedAuthentication yes
> >>    EnableSSHKeysign yes
> >>
> >>/etc/ssh/sshd_config
> >>    PermitRootLogin no
> >>    HostbasedAuthentication yes
> >>    X11Forwarding yes
> >>    UsePrivilegeSeparation yes
> >>    Banner /etc/issue
> >>    Subsystem       sftp    /usr/lib/ssh/sftp-server
> >>
> >>/etc/ssh/shosts.equiv (host1)
> >>    host2.domain.com
> >>
> >>/etc/ssh/shosts.equiv (host2)
> >>    host1.domain.com
> >>
> >>/etc/ssh/ssh_known_hosts2 for host1 contains the ssh_host_[dr]sa_key.pub
> >>keys for host2 and vice versa.

More information about the nflug mailing list