ssh is hard to use



Hi Folks,

I'm using openSSH 4.0p1 (0.9.7f) on Fedora Core 4, and I just had a
very frustrating experience the last few days trying to get public key
authentication to work.

The situation was this: I have two systems on a private network here
at the house behind a firewall. Neither have domain names but rather
are addressed by numeric IP address, which is dynamically assigned by
the Linksys router/firewall. My goal was to be able to scp from one
system to the other from a script without having to manually intervene
to type passwords.

My experience was that, no matter what I tried, I could not get a
passphrase prompt when ssh'ing in (without ssh-agent). Here are some
of the things I tried and/or questions I asked myself, most of which I
had seen in one of the numerous FAQs/tutorials on the subject:

1. Am I using protocol 1 or protocol 2? How do I know if the
software version [1] supports protocol 2?

Ans: I still don't know the answer to this one.

2. How do I know for sure protocol 2 is enabled?

Ans: via the "Protocol" option in sshd_config.

3. How do I know protocol 2 is being used and not protocol 1?

Ans: By specifying "Protocol 2" and not "Protocol 2,1" in sshd_conf.

4. Should I use rsa or dsa keys (ssh-keygen -t rsa or ssh-keygen -t
dsa)?

Ans: Don't know.

5. Where should I put my private key? src:.~/.ssh, or src:~/.ssh2
[2]?

Ans: ~/.ssh. Apparently the old .ssh2 stuff was done away with at
some point in the protocol 2 development history.

6. Where should I put my authorized key file, dst:~/.ssh or dst:~/.ssh2?

Ans: ~/.ssh

7. What should I name my authorized key file, authorized_keys or
authorized_keys2?

Ans: authorized_keys

8. Do the host keys need to be generated and active (in /etc/...)
as well as the user keys (i.e., in ~/.ssh/...)?

Ans: No, only the user key in the user's home directory.

9. When the src host is attempting to connect to the dst host, how
does the dst host know which key in the authorized_keys file to mate
with the src host?

Ans: Don't know

10. What exactly is host-based authentication versus public key
authentication?

Ans: This is a very unfortunate nomenclature. Both use
public/private key pairs. The simple answer is that host-based
authenticatation authenticates using one key (that in /etc/ssh/...)
no matter which src user account is being used. Public key
authentication keys are src user-dependent (from the user's ~/.ssh
directory).

11. When specifying sshd options, which host should they be
changed in, src or dst or both?

Ans: dst. The reason this question lingered in my mind is
that I had no idea how the ssh and sshd clients and servers
interact on the src and dst machines, and was thinking it
might be possible that the src server interacts with the
dst server.

12. Exactly what permissions are required in order for
public key authentication to work? Are they permissions
on the src, or permissions on the dst, or both?

Ans: Not sure of this one, but setting StrictModes to
no makes the question moot.

13. Does public key authentication require valid reverse DNS
lookups?

Ans: No. However, I'm not sure the same is true for host-based
authentication.

Note that, after about 4 days of fiddling around with the damn thing,
it was number 12 that caused my connections to start working.

This is UNACCEPTABLE, and all of these questions should have
been *clearly* answered in a user manual/FAQ. They were not.

If the openSSH community wants this development to thrive, these
shortcomings in the documention should be repaired.

--Randy Yates



[1] Note that I distinguish between protocol version (1 or 2)
and software version (e.g., the specific openSSH software
version).

[2] I use the syntax "src" to refer to the source host (i.e.,
the host being connected from) and "dst" to designate the
destination host (i.e., the host being connected to).
--
% Randy Yates % "Watching all the days go by...
%% Fuquay-Varina, NC % Who are you and who am I?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <yates@xxxxxxxx> % *A New World Record*, ELO
http://home.earthlink.net/~yatescr
.



Relevant Pages

  • Re: Why am I sending the publickey?
    ... You may have max retrys set to one, which would cause a disconnect because after the public key is denied you have used your one authentication try. ... the remote host as root with my root password. ... debug1: expecting SSH2_MSG_NEWKEYS ...
    (SSH)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.os.linux.security)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.security.unix)
  • Re: understanding chkrootkit: sshd section
    ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
    (comp.os.linux.security)
  • Re: understanding chkrootkit: sshd section
    ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
    (comp.security.unix)