ssh is hard to use
- From: Randy Yates <yates@xxxxxxxx>
- Date: Sun, 20 Aug 2006 01:49:32 GMT
I'm using openSSH 4.0p1 (0.9.7f) on Fedora Core 4, and I just had a
very frustrating experience the last few days trying to get public key
authentication to work.
The situation was this: I have two systems on a private network here
at the house behind a firewall. Neither have domain names but rather
are addressed by numeric IP address, which is dynamically assigned by
the Linksys router/firewall. My goal was to be able to scp from one
system to the other from a script without having to manually intervene
to type passwords.
My experience was that, no matter what I tried, I could not get a
passphrase prompt when ssh'ing in (without ssh-agent). Here are some
of the things I tried and/or questions I asked myself, most of which I
had seen in one of the numerous FAQs/tutorials on the subject:
1. Am I using protocol 1 or protocol 2? How do I know if the
software version  supports protocol 2?
Ans: I still don't know the answer to this one.
2. How do I know for sure protocol 2 is enabled?
Ans: via the "Protocol" option in sshd_config.
3. How do I know protocol 2 is being used and not protocol 1?
Ans: By specifying "Protocol 2" and not "Protocol 2,1" in sshd_conf.
4. Should I use rsa or dsa keys (ssh-keygen -t rsa or ssh-keygen -t
Ans: Don't know.
5. Where should I put my private key? src:.~/.ssh, or src:~/.ssh2
Ans: ~/.ssh. Apparently the old .ssh2 stuff was done away with at
some point in the protocol 2 development history.
6. Where should I put my authorized key file, dst:~/.ssh or dst:~/.ssh2?
7. What should I name my authorized key file, authorized_keys or
8. Do the host keys need to be generated and active (in /etc/...)
as well as the user keys (i.e., in ~/.ssh/...)?
Ans: No, only the user key in the user's home directory.
9. When the src host is attempting to connect to the dst host, how
does the dst host know which key in the authorized_keys file to mate
with the src host?
Ans: Don't know
10. What exactly is host-based authentication versus public key
Ans: This is a very unfortunate nomenclature. Both use
public/private key pairs. The simple answer is that host-based
authenticatation authenticates using one key (that in /etc/ssh/...)
no matter which src user account is being used. Public key
authentication keys are src user-dependent (from the user's ~/.ssh
11. When specifying sshd options, which host should they be
changed in, src or dst or both?
Ans: dst. The reason this question lingered in my mind is
that I had no idea how the ssh and sshd clients and servers
interact on the src and dst machines, and was thinking it
might be possible that the src server interacts with the
12. Exactly what permissions are required in order for
public key authentication to work? Are they permissions
on the src, or permissions on the dst, or both?
Ans: Not sure of this one, but setting StrictModes to
no makes the question moot.
13. Does public key authentication require valid reverse DNS
Ans: No. However, I'm not sure the same is true for host-based
Note that, after about 4 days of fiddling around with the damn thing,
it was number 12 that caused my connections to start working.
This is UNACCEPTABLE, and all of these questions should have
been *clearly* answered in a user manual/FAQ. They were not.
If the openSSH community wants this development to thrive, these
shortcomings in the documention should be repaired.
 Note that I distinguish between protocol version (1 or 2)
and software version (e.g., the specific openSSH software
 I use the syntax "src" to refer to the source host (i.e.,
the host being connected from) and "dst" to designate the
destination host (i.e., the host being connected to).
% Randy Yates % "Watching all the days go by...
%% Fuquay-Varina, NC % Who are you and who am I?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <yates@xxxxxxxx> % *A New World Record*, ELO