ssh/PuTTY setup question

[sidebrnz]

I'd like access to my Fedora 9 box from my Windows laptop, so I installed PuTTY on the laptop, set up a private key/public key pair and tried things out by connecting my laptop to the LAN. The first time, of course, I had to use username and password to connect and copied over the public key to ~/.ssh/authorized_keys. After a few tries I figured out what garbage had to be deleted from that file, and ssh stopped complaining about my key. Alas, it still asks me for both a username and password each time I try to connect, although I've put my username at the end of that file and changed the permissions as suggested.

I know it's possible to have ssh authenticate without sending a password and I'd like to get that running before I open up Port 22 on my router to make it available to the outside world. Can anybody suggest something I've overlooked, or something else to try? As yet, I haven't tried editing the config files because I'm not sure I need to, and unsure just what changes to the defaults need to be made.

Look at the logs, for information on what sshd is doing when you try to log in.
In particular, check that the permissions of the ~/.ssh/authorized_keys is as
specified in the man page for ssh.

[sidebrnz]

I know I've set the permissions to 600. I'd love to look at the logs, but where are they? I've checked /var/log/messages, and there's nothing relevant, and I can't find any other log to check.

[pete_1967]

On server you need to enable key (and remove password) authentication.

Configuration file is /etc/ssh/sshd_config

Read the comments on it carefully and change as needed. After you've done your changes, you need to restart your sshd server.

As root: `/sbin/service sshd restart`

Unless you have physical access to the linux box, keep password authentication enabled until you're sure everything works as intended.

While you are configuring your sshd server, disable allow root logins in it.

There are plenty of tutorials on how to set up and configure ssh server, just click either of the links in my sig to find them.

[sidebrnz]

Is having the box in question "living" in my bedroom enough physical access? OK, I'll try enabling key authentication and see what happens. I want to give access to a few trusted friends (Doing pings/traceroutes over a different backbone can sometimes be Very Useful, among other things.) so I'll leave password set up so that they can upload their own keys without my interference. (I presume that if both are active, it will only ask for a password if it can't find the key or it doesn't work.)

[sidebrnz]

Checking, key authentication is enabled by default, and it looks in the right place for keys. Any more suggestions? That is, other than those two utterly useless links in your signature.

[marcrblevins]

Quote:

I'd love to look at the logs, but where are they? I've checked /var/log/messages

Thought it was /var/log/secure

Code:

su -
grep ssh /var/log/secure

Got a boatload of ssh failures... denyhosts is my friend here.

[sidebrnz]

Thanx, but I just found out what the problem was. A friend had sent me an example of ~/.ssh/authorized_keys, and I realized that mine didn't match the pattern quite as well as I thought. What you need is this:

ssh-rsa BIGLONGPUBLICKEYTHAT'SMUCHLONGERTHANTHISBUTALLONON EBIGLINEWITHOUTBREAK= username@domain

There's a space before the public key itseslf, one after the equal sign but no -- repeat no -- line breaks anywhere. If you have your key like this it will work; if not, it won't. (I presume if you're using something other than rsa, you change the first string to match.)

Thanx to everybody who tried to help, because even the wrong answers helped me learn, such as disabling root logins. As I said, I'm going to leave password authentication active so that users can set up their public keys on their own if they want. (Not that there will be more than two or three, and mostly to allow pings/traceroutes over a different backbone or store a file they don't want the wife to know about...)

[pete_1967]

Quote:

Originally Posted by sidebrnz

Any more suggestions? That is, other than those two utterly useless links in your signature.

Sorry, don't have any silver platters left.

Quote:

Originally Posted by pete_1967

While you are configuring your sshd server, disable allow root logins in it.

Quote:

If I'd known you don't understand what you read, I'd phrased that differently.

[sidebrnz]

Excuse me for living, but I guess that I'm just a beginner with only 39 years of computer experience. However, I fail to see how a link to Search Forums and one to google are that helpful. Frankly, I see them as just a "don't ask me, look for yourself" blow-off of the questioner. And, yes, the answers were wrong (but well-intentioned) because the right options are (except for root login) set by default and the issue was that ~/.ssh/authorized_keys needed to be edited in a non-intuitive manner. Oh, BTW, I was not referring to disabling root logins as a wrong answer, but that telling me that the issue was in /sshd_config was wrong, although one of the changes you suggested was good. Next time, don't be so eager to take offense where none was offered.

[Hlingler]

OK, kids, play nice now.

V

[marcrblevins]

Just looked at Pete's sig. What a laugh! Oh Pete, thats a good one. I would throw in 'Fedora sshd root login' on the Google link, could have got your answer there.

First one on the list:
http://www.go2linux.org/disable-ssh-root-direct-login

Problemo solvo.

[Doug G]

Read the putty documentation, there are instructions on exactly how to set up key authorization with putty.