ssh-keygen

Question

Level 1

55 points

ssh-keygen

I was trying to create password-less login for several servers that I ssh into. I successfully created the key pair using ssh-keygen. I put the key.pub into the remote server's authorized_hosts file. However, where am I to store the private key? Also, I know on Windows you need an background agent running to make sure it offers to check the private key. Is there a need for something like that as well?

MacBook Pro 15" 2.16 GHz, 2GB DDR2, 160GB HD, Mac OS X (10.4.10), Windows Vista

Posted on Jul 8, 2007 7:01 AM

Reply

Answer 1

Jul 8, 2007 7:54 AM in response to David Stites

The private key you ignore. It just stays where it is.

I don't think there is any such thing as you describe in OSX. I have never encountered it.

Reply

Answer 2

David Stites Author

Level 1

55 points

Jul 8, 2007 9:35 AM in response to Gnarlodious

The private key you ignore. It just stays where it
is.

Where do you mean "where it is?" Right now, it is on my desktop. Should I move it to the ~/.ssh folder?

Also, when I connect to the server that I placed my public key on, it still asks for my password (not the key passphrase) and it seems to completely ignore that my key is there? Any ideas?

Reply

Answer 3

Jul 8, 2007 10:29 AM in response to David Stites

Yes, both id_dsa and/or id_rsa must be in ~/.ssh. Unless, of course, your ssh is configured to use the non-default location.

When you move it to the.ssh folder, the other machine should connect without a password. If it doesn't, use the verbose switch to get info while it is connecting.

Reply

Answer 4

David Stites Author

Level 1

55 points

Jul 8, 2007 2:35 PM in response to Gnarlodious

Still can't quite get it to work. My private key file (named id_dsa) is now located in the ~/.ssh dir. Here is the output from verbose mode:

dstites$ ssh -v lore.cs.purdue.edu
OpenSSH_4.5p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to lore.cs.purdue.edu [128.10.2.16] port 22.
debug1: Connection established.
debug1: identity file /Users/dstites/.ssh/identity type -1
debug1: identity file /Users/dstites/.ssh/id_rsa type -1
debug1: identity file /Users/dstites/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug1: Host 'lore.cs.purdue.edu' is known and matches the RSA host key.
debug1: Found key in /Users/dstites/.ssh/known_hosts:1
debug1: ssh rsaverify: signature correct
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug1: SSH2 MSG_SERVICEACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/dstites/.ssh/identity
debug1: Trying private key: /Users/dstites/.ssh/id_rsa
debug1: Trying private key: /Users/dstites/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: password
dstites@lore.cs.purdue.edu's password:

Reply

Answer 5

Jul 8, 2007 3:25 PM in response to David Stites

When it's done correctly, you don't have to create directories or move key files around. Also the correct permissions are set by default. I can't help wondering if permissions or exact file names might be wrong because they weren't initially set up correctly for you. You might consider deleting all the ssh files you created, including the ~/.ssh directory and starting from scratch.

When you run ssh-keygen, when it prompts you for file names for the key files, just press return to take the defaults. This should correctly set everything up for you on the local machine. Then, you need to append the contents of the public key file to ~/.ssh/authorized_keys on the remote host as before.

You show your login attempt as ssh -v lore.cs.purdue.edu. This presumes your remote username matches that on your Mac. Otherwise, you need to say ssh -v username@lore.cs.purdue.edu.

Reply

Answer 6

Jul 8, 2007 4:30 PM in response to David Stites

This is a DNS problem. I suggest you enter these DNS numbers in your Network preference panel:

208.67.222.222
208.67.220.220

Reply

Answer 7

David Stites Author

Level 1

55 points

Jul 8, 2007 7:00 PM in response to Ken Nellis

You might consider deleting all the ssh
files you created, including the ~/.ssh directory and
starting from scratch.

I took your suggestion and removed .ssh on my local and remote machine. I generated the two key-pairs as you suggested (default) and it generated id_rsa and id_rsa.pub. I put the .pub key into ~/.ssh/authorized_hosts on the remote machine. I am now prompted with the following everytime:

Davids-MacBook-Pro:~/.ssh dstites$ ssh lore.cs.purdue.edu
Enter passphrase for key '/Users/dstites/.ssh/id_rsa':

For reference, my username on both machines are the same so I wouldn't need to specify username@host.

Reply

Answer 8

Bill Scott

Level 6

11,459 points

Jul 8, 2007 8:33 PM in response to David Stites

Here is how I did it

Reply

Answer 9

Jun T.

Level 4

2,185 points

Jul 8, 2007 10:04 PM in response to David Stites

Enter passphrase for key '/Users/dstites/.ssh/id_rsa':

When you ran ssh-keygen, you should have got the following prompt:
<pre>
Enter passphrase (empty for no passphrase):</pre>
If you have entered any passphrase here, then you should enter the same passphrase every time you ssh using id_rsa; this is good for security but rather inconvenient. If you had just hit Enter (empty passphrase) then you should be able to ssh without entering any passphrase.

PS
Please make sure that not only the .ssh directory but also your home directory is writable only by you.

PowerMacG4, PowerBookG4, iMac(C2D) Mac OS X (10.4.9)

Reply

Answer 10

David Stites Author

Level 1

55 points

Jul 9, 2007 11:04 AM in response to Jun T.

That solved it. If I take my laptop to work, would I need to create a new key because it is a new address?

Reply

Answer 11

Jul 9, 2007 11:23 AM in response to Jun T.

There are at least two applications available that will save the id_rsa passphrase on the OS X keychain. You can have a passphrase, but you won't have to type it while your keychain is unlocked. Search versiontracker or macupdate for SSH Agent or SSHKeychain.

Reply

Answer 12

j.v.

Level 5

4,155 points

Jul 9, 2007 5:39 PM in response to David Stites

No. The id_dsa file on the laptop and id_dsa.pub file on the server act just like PGP public and private keys for validating the authenticity of the client initiating the ssh connection. They care not about from which IP address the client is from.

IF the IP address of the server should ever change (i.e., DHCP-assigned), the client will get a warning message but it will let you go ahead and connect.

Reply

Answer 13

Jul 10, 2007 6:20 PM in response to Bill Scott

Yeah, I also copy my public keys into authorized_keys2 rather than authorized_keys without knowing if it makes a difference.

Reply

Answer 14

j.v.

Level 5

4,155 points

Jul 10, 2007 7:34 PM in response to Ken Nellis

I believe that authorized_keys2 is for dsa public keys (ssh protocol 2) and authorized_keys is for rsa public keys (ssh protocol 1)

Reply