SSH publickey auth

Fri Jul 8 20:56:46 UTC 2005

Alexander Dalloz wrote:

>Am Fr, den 08.07.2005 schrieb Michael Yep um 22:03:
>
>Don't top-post, please.
>
>  
>
>>I was under the impression that with this setup I would not have to 
>>enter a password
>>    
>>
>
>No, it requests to enter the pubkey passphrase.
>
>  
>
>>>Enter passphrase for key '/cygdrive/c/Documents and 
>>>      
>>>
>>>>Settings/myep/.ssh/id_rsa':
>>>>Ctrl-C
>>>>        
>>>>
>
>  
>
>>Notice how it trys publickey auth and then it fails, and then tries 
>>password auth.
>>    
>>
>
>Can you mark the line where you see that? I frankly don't see that.
>
>  
>
>>debug1: ssh_rsa_verify: signature correct
>>debug2: kex_derive_keys
>>debug2: set_newkeys: mode 1
>>debug1: SSH2_MSG_NEWKEYS sent
>>debug1: expecting SSH2_MSG_NEWKEYS
>>debug2: set_newkeys: mode 0
>>debug1: SSH2_MSG_NEWKEYS received
>>debug1: SSH2_MSG_SERVICE_REQUEST sent
>>debug2: service_accept: ssh-userauth
>>debug1: SSH2_MSG_SERVICE_ACCEPT received
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/identity (0x0)
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_rsa 
>>(0x100e9c40)
>>debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_dsa (0x0)
>>debug1: Authentications that can continue: 
>>publickey,gssapi-with-mic,password
>>debug3: start over, passed a different list 
>>publickey,gssapi-with-mic,password
>>debug3: preferred publickey,keyboard-interactive,password
>>debug3: authmethod_lookup publickey
>>debug3: remaining preferred: keyboard-interactive,password
>>debug3: authmethod_is_enabled publickey
>>debug1: Next authentication method: publickey
>>debug1: Trying private key: /cygdrive/c/Documents and 
>>Settings/myep/.ssh/identity
>>debug3: no such identity: /cygdrive/c/Documents and 
>>Settings/myep/.ssh/identity
>>debug1: Offering public key: /cygdrive/c/Documents and 
>>Settings/myep/.ssh/id_rsa
>>debug3: send_pubkey_test
>>debug2: we sent a publickey packet, wait for reply
>>debug1: Server accepts key: pkalg ssh-rsa blen 149
>>debug2: input_userauth_pk_ok: fp 
>>a9:b1:ac:29:22:15:54:47:2d:f0:42:12:78:39:df:cb
>>debug3: sign_and_send_pubkey
>>debug1: PEM_read_PrivateKey failed
>>debug1: read PEM private key done: type <unknown>
>>    
>>
>
>If you want to disable password auth as a fallback method you must
>disable that method in sshd_config.
>
>And please: don't use passphrase-less public keys! That has a security
>drawback. Use ssh-agent for not often entering the passphrase during a
>desktop session.
>
>Alexander
>
>
>  
>
Ok I'm not sure what Top Posting means, but I guess I'll try down here.

taken from this website  
http://www.penguinsecurity.net/pensec/modules.php?name=News&file=article&sid=256

The goal of using Identity/Pubkey authentication is to remove the need 
for static passwords. Instead of providing a password, which could be 
captured by a keystroke logger or witnessed as you type it, you have a 
key pair on your disk that you use to authenticate. Your account on the 
SSH server has a list of Identities/Pubkeys that it trusts, and if you 
can prove you have the public and private key then you are granted 
access without supplying a password.

Some of the nice features of this form of authentication are:

    * No one can shoulder-surf your password and log in to your accounts
      - they'd need both your Identity passphrase and the private key
      from your machine.
    * The server administrator could disable password authentication
      entirely, to prevent password guessing attacks.
    * You can use the |ssh-agent| and SSH agent forwarding to have your
      authentication credentials 'follow' you.
    * You can place restrictions on Identities/Pubkeys, for example
      forbidding port forwards, forcing predetermined commands,
      regardless of what the user wanted to run, and more.

In this week's article we'll show how you create keys and configure your 
account to allow them to log in. In later articles we'll go into some of 
the other capabilities of SSH identities.

Am I misunderstanding this article?  I would like to run rsync jobs via 
cron, and not require a password

-- 
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164 