SSH publickey auth
Michael Yep
myep at remotelink.com
Fri Jul 8 20:56:46 UTC 2005
Alexander Dalloz wrote:
>Am Fr, den 08.07.2005 schrieb Michael Yep um 22:03:
>
>Don't top-post, please.
>
>
>
>>I was under the impression that with this setup I would not have to
>>enter a password
>>
>>
>
>No, it requests to enter the pubkey passphrase.
>
>
>
>>>Enter passphrase for key '/cygdrive/c/Documents and
>>>
>>>
>>>>Settings/myep/.ssh/id_rsa':
>>>>Ctrl-C
>>>>
>>>>
>
>
>
>>Notice how it trys publickey auth and then it fails, and then tries
>>password auth.
>>
>>
>
>Can you mark the line where you see that? I frankly don't see that.
>
>
>
>>debug1: ssh_rsa_verify: signature correct
>>debug2: kex_derive_keys
>>debug2: set_newkeys: mode 1
>>debug1: SSH2_MSG_NEWKEYS sent
>>debug1: expecting SSH2_MSG_NEWKEYS
>>debug2: set_newkeys: mode 0
>>debug1: SSH2_MSG_NEWKEYS received
>>debug1: SSH2_MSG_SERVICE_REQUEST sent
>>debug2: service_accept: ssh-userauth
>>debug1: SSH2_MSG_SERVICE_ACCEPT received
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/identity (0x0)
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_rsa
>>(0x100e9c40)
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_dsa (0x0)
>>debug1: Authentications that can continue:
>>publickey,gssapi-with-mic,password
>>debug3: start over, passed a different list
>>publickey,gssapi-with-mic,password
>>debug3: preferred publickey,keyboard-interactive,password
>>debug3: authmethod_lookup publickey
>>debug3: remaining preferred: keyboard-interactive,password
>>debug3: authmethod_is_enabled publickey
>>debug1: Next authentication method: publickey
>>debug1: Trying private key: /cygdrive/c/Documents and
>>Settings/myep/.ssh/identity
>>debug3: no such identity: /cygdrive/c/Documents and
>>Settings/myep/.ssh/identity
>>debug1: Offering public key: /cygdrive/c/Documents and
>>Settings/myep/.ssh/id_rsa
>>debug3: send_pubkey_test
>>debug2: we sent a publickey packet, wait for reply
>>debug1: Server accepts key: pkalg ssh-rsa blen 149
>>debug2: input_userauth_pk_ok: fp
>>a9:b1:ac:29:22:15:54:47:2d:f0:42:12:78:39:df:cb
>>debug3: sign_and_send_pubkey
>>debug1: PEM_read_PrivateKey failed
>>debug1: read PEM private key done: type <unknown>
>>
>>
>
>If you want to disable password auth as a fallback method you must
>disable that method in sshd_config.
>
>And please: don't use passphrase-less public keys! That has a security
>drawback. Use ssh-agent for not often entering the passphrase during a
>desktop session.
>
>Alexander
>
>
>
>
Ok I'm not sure what Top Posting means, but I guess I'll try down here.
taken from this website
http://www.penguinsecurity.net/pensec/modules.php?name=News&file=article&sid=256
The goal of using Identity/Pubkey authentication is to remove the need
for static passwords. Instead of providing a password, which could be
captured by a keystroke logger or witnessed as you type it, you have a
key pair on your disk that you use to authenticate. Your account on the
SSH server has a list of Identities/Pubkeys that it trusts, and if you
can prove you have the public and private key then you are granted
access without supplying a password.
Some of the nice features of this form of authentication are:
* No one can shoulder-surf your password and log in to your accounts
- they'd need both your Identity passphrase and the private key
from your machine.
* The server administrator could disable password authentication
entirely, to prevent password guessing attacks.
* You can use the |ssh-agent| and SSH agent forwarding to have your
authentication credentials 'follow' you.
* You can place restrictions on Identities/Pubkeys, for example
forbidding port forwards, forcing predetermined commands,
regardless of what the user wanted to run, and more.
In this week's article we'll show how you create keys and configure your
account to allow them to log in. In later articles we'll go into some of
the other capabilities of SSH identities.
Am I misunderstanding this article? I would like to run rsync jobs via
cron, and not require a password
--
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164
More information about the fedora-list
mailing list