# Cant get public keybased login for ssh working



## xy16644 (Sep 5, 2009)

I am wanting to use public keybased authentication with SSH so that I can stop using passwords. So far I have done the following:


```
alpha# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c7:38:a8:7d:04:d3:0c:de:71:3c:fc:63:42:7e:3e:18 root@mydomain.com
The key's randomart image is:
+--[ RSA 2048]----+
|      . .o.      |
|     . = o=      |
|      + +o o     |
|       + oE =    |
|      . S oB .   |
|     o . o. o    |
|    . . .    .   |
|       .         |
|                 |
+-----------------+
```

I then copied the public key as follows:


```
cp id_rsa.pub authorized_keys
```

in ~/.ssh.

But when I try to login using Putty on a Windows machine it still says:


```
login as: myusername
Using keyboard-interactive authentication.
Password:
```

Am I missing something here? I followed the instructions at:

http://www.freebsd.org/doc/en/books/handbook/openssh.html (under point 14/11/6)

but I must be doing something wrong, can someone help? :e:e:e

PS: I have tried this for the root account and a non root account


----------



## SirDice (Sep 5, 2009)

Use the putty keygenerator to generate a key. Copy/past the line with the public bit to the ~/.ssh/authorized_keys file.

The private key needs to be on the machine you are ssh'ing from. On windows, load pageant. Load your private key in there and PuTTY will automatically use it.


----------



## xy16644 (Sep 5, 2009)

Thanks SirDice.

I have created a key pair with putty keygenerator on my Windows machine so I know have a private and public file on my hard drive.

I loaded the pageant and added the newly created private key successfully. I also edited my authorized_keys file and pasted the newly created public key string in here and saved it.

When I try to login to SSH with Putty it still prompts me for "keyboard-interactive authentication".

Do I need to do anything further to enable this?


----------



## anomie (Sep 5, 2009)

Double check permissions on ~, ~/.ssh, and ~/.ssh/authorized keys. 

With sshd's StrictModes enabled (which they are by default): 

 ~ should not be writable by group or others
 ~/.ssh should not be readable or writable by group or others
 ~/.ssh/authorized_keys should not be readable by group or others

If you find any of those to be set incorrectly, fix them. If you're still having issues after that, start tailing /var/log/auth.log for clues.


----------



## xy16644 (Sep 5, 2009)

Thanks for the help.

Before I doublecheck everything you have mentioned, silly question: 

I assume I setup these keys for the non root account I ssh in with? (afterwards I then su to get root rights).

In other words, I don't create a key pair for the root account do I?


----------



## Alt (Sep 5, 2009)

xy16644 said:
			
		

> I assume I setup these keys for the non root account I ssh in with? (afterwards I then su to get root rights).
> 
> In other words, I don't create a key pair for the root account do I?


ssh root login forbidden by default for known reasons =) Create a pair for your regular user.


----------



## xy16644 (Sep 5, 2009)

anomie said:
			
		

> Double check permissions on ~, ~/.ssh, and ~/.ssh/authorized keys.
> 
> With sshd's StrictModes enabled (which they are by default):
> 
> ...



I checked all the permissions you mentioned above and they seem to be correct for the non root account I am trying to set this up with.

Its still not working though and I have checked the /var/log/auth.log logfile by tailing it and all I get it:


```
Sep  5 21:41:03 alpha sshd[58031]: Accepted keyboard-interactive/pam for myusername from 192.168.0.10 port 60753 ssh2
```


----------



## xy16644 (Sep 5, 2009)

Alt said:
			
		

> ssh root login forbidden by default for known reasons =) Create a pair for your regular user.



Great, thats what I have done but its still not working. I must be missing something still...:\


----------



## xy16644 (Sep 5, 2009)

I just noticed something in the Putty logfile:


```
2009-09-05 21:40:34	Looking up host "192.168.0.200"
2009-09-05 21:40:34	Connecting to 192.168.0.200 port 22
2009-09-05 21:40:34	Server version: SSH-2.0-OpenSSH_5.2p1 FreeBSD-openssh-portable-overwrite-base-5.2.p1_1,1
2009-09-05 21:40:34	We claim version: SSH-2.0-PuTTY_Release_0.60
2009-09-05 21:40:34	Using SSH protocol version 2
2009-09-05 21:40:34	Doing Diffie-Hellman group exchange
2009-09-05 21:40:34	Doing Diffie-Hellman key exchange with hash SHA-256
2009-09-05 21:40:35	Host key fingerprint is:
2009-09-05 21:40:35	ssh-rsa 2048 f2:55:2f:fe:2b:ab:01:2c:be:7c:11:95:b2:46:19:3c
2009-09-05 21:40:35	Initialised AES-256 SDCTR client->server encryption
2009-09-05 21:40:35	Initialised HMAC-SHA1 client->server MAC algorithm
2009-09-05 21:40:35	Initialised AES-256 SDCTR server->client encryption
2009-09-05 21:40:35	Initialised HMAC-SHA1 server->client MAC algorithm
2009-09-05 21:40:35	Pageant is running. Requesting keys.
2009-09-05 21:40:35	Pageant has 1 SSH-2 keys
2009-09-05 21:40:41	Trying Pageant key #0
2009-09-05 21:40:41	[B][color="Red"]Server refused public key[/color][/B]
2009-09-05 21:40:45	Access granted
2009-09-05 21:40:45	Opened channel for session
2009-09-05 21:40:45	Allocated pty (ospeed 38400bps, ispeed 38400bps)
2009-09-05 21:40:45	Started a shell/command
```

Why is it refusing my public key?


----------



## xy16644 (Sep 5, 2009)

I found the fix!!!

http://www.walkernews.net/2009/03/22/how-to-fix-server-refused-our-key-error-that-caused-by-putty-generated-rsa-public-key/


----------



## xy16644 (Sep 6, 2009)

Is there a way to ONLY allow keybased login to SSH?

I tried setting:


```
PasswordAuthentication no
```

in /etc/ssh/sshd_config but this doesn't seem to have any effect (even after restarting the SSH service).

What options do I need to set to enforce (and only allow) keybased login?


----------



## DutchDaemon (Sep 6, 2009)

This one maybe?


```
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
```

Haven't tried.


----------



## xy16644 (Sep 6, 2009)

DutchDaemon said:
			
		

> This one maybe?
> 
> 
> ```
> ...



I tried that one and found I couldn't SSH into the server anymore! It said something about not having an authnetication method available.


----------



## DutchDaemon (Sep 6, 2009)

But it still works with the key, I hope  Well, you set the thread to solved, so I guess the answer is yes ..


----------



## xy16644 (Sep 6, 2009)

It doesn't even work with the key....

Currently I am back to the original settings of:


```
#ChallengeResponseAuthentication yes

#PasswordAuthentication yes
```

I can use either the key OR just a password. I don't want to have the option of a password as this can be brute forced. With a keybased login option only you can't brute force it so SSH is much more secure IMHO...:e


----------



## anomie (Sep 6, 2009)

For pubkey authentication _only_, you should disable all authentication forms in sshd_config, except this one: 

```
PubkeyAuthentication yes
```

-------

For password authentication, there are two possibilities: 

```
PasswordAuthentication yes
```
or

```
ChallengeResponseAuthentication yes
UsePAM yes
```

-------

They both need to be disabled, or you'll still get a password prompt. (And explicitly disable them; don't just comment them out and rely on the defaults.) 

As mentioned, make sure your pubkey authentication works before disabling those... or you'll get locked out of your server.


----------



## xy16644 (Sep 6, 2009)

anomie said:
			
		

> For pubkey authentication _only_, you should disable all authentication forms in sshd_config, except this one:
> 
> ```
> PubkeyAuthentication yes
> ...



Many thanks for this.

I have set the following options:

```
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
```

After setting these I restarted the services and now when I remove my private key from pageant I get the following error (see attachment) which means its working (I think!) as theres no private key to authenticate me. I don't even get the option to use a password.

When I add the private key back into pageant, I can log back into SSH. This is a fantastic way to secure SSH!!!

I hope I did this correctly but if I have I assume theres no way someone could brute force there way into my server via SSH?

One other thing, is it possible to store the private key on a smart token? I currently have an Aladdin token which I use and it has many keys on it, is it possible to put my SSH key on it?


----------



## anomie (Sep 6, 2009)

xy16644 said:
			
		

> I hope I did this correctly but if I have I assume theres no way someone could brute force there way into my server via SSH?



I wouldn't assume that. You have made things a good deal more secure with a small amount of effort, though. 



			
				xy16644 said:
			
		

> One other thing, is it possible to store the private key on a smart token? I currently have an Aladdin token which I use and it has many keys on it, is it possible to put my SSH key on it?



Yes, I think you could specify the path to the private key using the IdentityFile directive in e.g. [font="Courier New"]~/.ssh/config[/font]. See the ssh_config(5) manpages for details.


----------



## xy16644 (Sep 6, 2009)

If I keep my private key secure then it must be pretty difficult for someone to hack into SSH. Not impossible but really difficult...

Looks like there are some options for storing your private key on a smart card. I am busy looking into it. I have the Aladdin eToken Pro and OpenPGP 2.0 card so I am going to try and get it working with one of them. I use these on a Windows machine so I need to configure Putty and pageant to work with my SSH keys.

Can't wait to get it working now! ;-)


----------



## xy16644 (Sep 27, 2009)

Just in case anyones interested I managed to get my OpenPGP 2 card to work with SSH and key based authentication. Its really cool. If you running a Windows client you'll need the following:

OpenPGP 2.0 card
Putty
pageant.exe from http://smartcard-auth.de/download-en.html

When you insert your OpenPGP card into the reader you must hold down the ctrl key and this creates the public key file you'll need to copy into your authorized_keys file (this is assuming you already have the keys on the card).

If all goes well, the next time you connect to SSH and type in your username a PIN box will appear. Type in the PIN of your OpenPGP card and you're in..super secure!

Before I was storing my private key on my hard drive but now its on the smart card. So much better!

:e:e:e


----------



## xy16644 (Sep 27, 2009)

Wow, I just discovered that the smart card works with FileZille when authenticating to SFTP!


----------

