sshd question
Beech Rintoul
akbeech at gmail.com
Fri Jan 20 04:28:13 PST 2006
On Thursday 19 January 2006 22:57, Matthew Seaman wrote:
> Peter wrote:
> > --- Beech Rintoul <akbeech at gmail.com> wrote:
> >> I'm trying to set up ssh to use keys to authenticate on a remote server.
> >> I've
> >> always used passwords in the past. I generated a key pair and exported
> >> my
> >> public key to ~/.ssh/authorized_keys on the remote machine. I changed
> >> sshd_config to "PasswordAuthentication no". when I login the remote
> >> machine
> >> still asks for a password. What do I change to just use the key to log
> >> in?
> >
> > I'm assuming you do not want to enter anything to log in right? If so,
> > you need a private key with a blank passphrase. It's hard to say from
> > here but it may be that you are being prompted for the passphrase to
> > unlock your private key.
>
> No, no, no. ssh keys with out pass-phrases are a liability. It really is
> a bad idea to do that.
>
> What the OP should do instead is use ssh-agent -- I fire it up from
> .xsession when I log into my desktop. Then load your key into the agent:
>
> ssh-add ~/.ssh/id_dsa
>
> which will require you to give the pass phrase. However, that's the one
> and only time you'll need to do that.
>
> Then when you ssh into a box, it should auth against your key
> automatically. If you take care to always use the '-A' flag when you ssh
> in:
>
> ssh -A hostname
>
> then you can bounce through several machines, and the auth requests will be
> relayed back to the ssh-agent on your desktop.[*]
>
> Cheers,
>
> Matthew
>
> [*] Agent forwarding is off by default in /etc/ssh/ssh_config (client side)
> but permitted in /etc/ssh/sshd_config (server side) -- but the -A flag
> overrides the client settings.
Thanks, my original problem was solved by just starting over with a new key
pair. Must of had a bad key. I ran debug on the server and it said it
couldn't read it even though it was there. I'll try the agent today. It'll
require adding a pass-phrase to the key, but that's no problem now that I
know all the configs are good. I really don't mind the final default to a
password. I just hate to type it all the time. I'm using a long very cryptic
pass and it gets tedious to have to enter it several times.
Thanks everyone for the help and suggestions,
Beech
--
---------------------------------------------------------------------------------------
Beech Rintoul - System Administrator - akbeech at gmail.com
/"\ ASCII Ribbon Campaign | NorthWind Communications
\ / - NO HTML/RTF in e-mail | 201 East 9Th Avenue Ste.310
X - NO Word docs in e-mail | Anchorage, AK 99501
/ \ - Please visit Alaska Paradise - http://akparadise.byethost33.com
---------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060120/dc19552f/attachment.bin
More information about the freebsd-questions
mailing list