Solved ssh key-only authorization.

bagas

bagas

Hello.
How to enable SSH authentication using only a key?
My system FreeBSD 14.3
Code: 
Port 22555
ListenAddress 6.4.1.9
PermitRootLogin yes
AuthorizedKeysFile    .ssh/authorized_keys
PasswordAuthentication no
GatewayPorts no
X11Forwarding no
ClientAliveInterval 230
ClientAliveCountMax 30
UseDNS no
Subsystem    sftp    /usr/libexec/sftp-server
This is how SSH is currently configured.
Two authentication methods are available: password and key.
How can I create a key-only login?
 
You already have 'PasswordAuthentication no' ? You should be there... did you restart sshd on the target? You need 'PubkeyAuthentication yes', although I think that is the default anyhow...
 
Take note of some defaults, PasswordAuthentication defaults to 'no', so setting it explicitly to 'no' doesn't change anything.

Code: 
     PasswordAuthentication
             Specifies whether password authentication is allowed.  Note that
             passwords may also be accepted via KbdInteractiveAuthentication.
             See also UsePAM.  The default is no.
Code: 
     KbdInteractiveAuthentication
             Specifies whether to allow keyboard-interactive authentication.
             All authentication styles from login.conf(5) are supported.  The
             default is yes.  The argument to this keyword must be yes or no.
             ChallengeResponseAuthentication is a deprecated alias for this.
Code: 
     UsePAM  Enables the Pluggable Authentication Module interface.  If set to
             yes this will enable PAM authentication using
             KbdInteractiveAuthentication and PasswordAuthentication in
             addition to PAM account and session module processing for all
             authentication types.

             Because PAM keyboard-interactive authentication usually serves an
             equivalent role to password authentication, you should disable
             either PasswordAuthentication or KbdInteractiveAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a
             non-root user.  The default is yes.
sshd_config(4)
 
These are the mods I use to the standard sshd_config file:
Code: 
# We need to allow root login for rsnapshot backup server
PermitRootLogin prohibit-password
# We want login via ssh with keys only...
PasswordAuthentication no
ChallengeResponseAuthentication no
 
gpw928 said:
These are the mods I use to the standard sshd_config file:
Code: 
# We need to allow root login for rsnapshot backup server
PermitRootLogin prohibit-password
# We want login via ssh with keys only...
PasswordAuthentication no
ChallengeResponseAuthentication no
Click to expand...
Yes that's what I've got, I just checked. I checked my linux box too (debian), I noticed the sshd package appears to have KbdInteractiveAuthentication set to 'no', whereas on freebsd after a fresh install it's commented out so defaults to 'yes'. Although I may have set it to no on that debian box some time in the past and forgotton about it. I usually set them both to no.
 
First generate your user's public key, on the client machine: cd to the user's home directory and run:-

$ ssh-keygen -t rsa

Then scp (or otherwise copy) the ~/.ssh/id_rsa.pub file that was just generated (which is your public key) to the home directory on the server of the user you intend to ssh to the target as. Log in to the server as that user, and
$ cat id_rsa.pub >> .ssh/authrorized_keys
so that you end up with the text of your client machine public key appended to the ~/.ssh/authorized_keys file of the user on the server.
You can cat .ssh/authorized_keys and compare with the contents of id_rsa.pub to make sure it worked; they are both just text files.
Finally delete the user's id_rsa.pub file on the server.

Then on the server machine, as root, edit /etc/ssh/sshd_config and set PasswordAuthentication and KbdInteractiveAuthentication both to 'no', and set PubkeyAuthentication to 'yes'. Then restart sshd on the server, eg
# service sshd restart
so that sshd on the server reads the changed configuration you just wrote in /etc/ssh/sshd_config.

Then go back to the client and
$ ssh -p 22555 user@server
which should give you a login shell on the server, using key authentication, ie you should not be asked for a password.
If you omit the -p argument it will try to connect on port 22 by default.

Notes
1. To debug or check it's working correctly, you can use the -v flag to the ssh client to give you some trace. If you say -vv you will get more verbose trace.
2. Check that you have opened the port sshd is listening to (22555 in your case) on the server in the server's firewall rules, or temporarily disable the server firewall to test it.
3. You can preset the port value in ~/.ssh/config on the client by adding lines like
Host server
<tab> port 22555
which makes it unnecessary to say '-p 22555' every time you ssh from the client to the server.

Homework: investigate whether there are better encryption algorithms than rsa that you can use instead of rsa (hint: there are, but get it working with rsa first so you understand how it works).
 
In my sshd_config the only changes I made:

AuthenticationMethods publickey
KbdInteractiveAuthetication no
UsePAM no

Password is set to no by default but right above it says "# Note that passwords may also be accepted via KbdInteractiveAuthentication."
 
bagas said:
Hello.
How to enable SSH authentication using only a key?
My system FreeBSD 14.3
Code: 
Port 22555
ListenAddress 6.4.1.9
PermitRootLogin yes
AuthorizedKeysFile    .ssh/authorized_keys
PasswordAuthentication no
GatewayPorts no
X11Forwarding no
ClientAliveInterval 230
ClientAliveCountMax 30
UseDNS no
Subsystem    sftp    /usr/libexec/sftp-server
This is how SSH is currently configured.
Two authentication methods are available: password and key.
How can I create a key-only login?
Click to expand...
Did you also ssh-keygen then add the necessary public key into ~/.ssh/authorized_keys
 
You must log in or register to reply here.
Back
Top