[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH publickey auth

Alexander Dalloz wrote:

Am Fr, den 08.07.2005 schrieb Michael Yep um 22:03:

Don't top-post, please.

I was under the impression that with this setup I would not have to enter a password

No, it requests to enter the pubkey passphrase.

Enter passphrase for key '/cygdrive/c/Documents and


Notice how it trys publickey auth and then it fails, and then tries password auth.

Can you mark the line where you see that? I frankly don't see that.

debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/identity (0x0)
debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_rsa (0x100e9c40)
debug2: key: /cygdrive/c/Documents and Settings/myep/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/Documents and Settings/myep/.ssh/identity
debug3: no such identity: /cygdrive/c/Documents and Settings/myep/.ssh/identity
debug1: Offering public key: /cygdrive/c/Documents and Settings/myep/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp a9:b1:ac:29:22:15:54:47:2d:f0:42:12:78:39:df:cb
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>

If you want to disable password auth as a fallback method you must disable that method in sshd_config.

And please: don't use passphrase-less public keys! That has a security
drawback. Use ssh-agent for not often entering the passphrase during a
desktop session.


Ok I'm not sure what Top Posting means, but I guess I'll try down here.

taken from this website http://www.penguinsecurity.net/pensec/modules.php?name=News&file=article&sid=256

The goal of using Identity/Pubkey authentication is to remove the need for static passwords. Instead of providing a password, which could be captured by a keystroke logger or witnessed as you type it, you have a key pair on your disk that you use to authenticate. Your account on the SSH server has a list of Identities/Pubkeys that it trusts, and if you can prove you have the public and private key then you are granted access without supplying a password.

Some of the nice features of this form of authentication are:

   * No one can shoulder-surf your password and log in to your accounts
     - they'd need both your Identity passphrase and the private key
     from your machine.
   * The server administrator could disable password authentication
     entirely, to prevent password guessing attacks.
   * You can use the |ssh-agent| and SSH agent forwarding to have your
     authentication credentials 'follow' you.
   * You can place restrictions on Identities/Pubkeys, for example
     forbidding port forwards, forcing predetermined commands,
     regardless of what the user wanted to run, and more.

In this week's article we'll show how you create keys and configure your account to allow them to log in. In later articles we'll go into some of the other capabilities of SSH identities.

Am I misunderstanding this article? I would like to run rsync jobs via cron, and not require a password

Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]