sshd question

Fri Jan 20 04:28:13 PST 2006

On Thursday 19 January 2006 22:57, Matthew Seaman wrote:
> Peter wrote:
> > --- Beech Rintoul <akbeech at gmail.com> wrote:
> >> I'm trying to set up ssh to use keys to authenticate on a remote server.
> >> I've
> >> always used passwords in the past. I generated a key pair and exported
> >> my
> >> public key to ~/.ssh/authorized_keys on the remote machine. I changed
> >> sshd_config to "PasswordAuthentication no". when I login the remote
> >> machine
> >> still asks for a password. What do I change to just use the key to log
> >> in?
> >
> > I'm assuming you do not want to enter anything to log in right?  If so,
> > you need a private key with a blank passphrase.  It's hard to say from
> > here but it may be that you are being prompted for the passphrase to
> > unlock your private key.
>
> No, no, no.  ssh keys with out pass-phrases are a liability.  It really is
> a bad idea to do that.
>
> What the OP should do instead is use ssh-agent -- I fire it up from
> .xsession when I log into my desktop.  Then load your key into the agent:
>
>     ssh-add ~/.ssh/id_dsa
>
> which will require you to give the pass phrase.  However, that's the one
> and only time you'll need to do that.
>
> Then when you ssh into a box, it should auth against your key
> automatically.  If you take care to always use the '-A' flag when you ssh
> in:
>
>     ssh -A hostname
>
> then you can bounce through several machines, and the auth requests will be
> relayed back to the ssh-agent on your desktop.[*]
>
> 	Cheers,
>
> 	Matthew
>
> [*] Agent forwarding is off by default in /etc/ssh/ssh_config (client side)
> but permitted in /etc/ssh/sshd_config (server side) -- but the -A flag
> overrides the client settings.

Thanks, my original problem was solved by just starting over with a new key 
pair. Must of had a bad key. I ran debug on the server and it said it 
couldn't read it even though it was there. I'll try the agent today. It'll 
require adding a pass-phrase to the key, but that's no problem now that I 
know all the configs are good. I really don't mind the final default to a 
password. I just hate to type it all the time. I'm using a long very cryptic 
pass and it gets tedious to have to enter it several times.

Thanks everyone for the help and suggestions,

Beech

-- 

---------------------------------------------------------------------------------------
Beech Rintoul - System Administrator - akbeech at gmail.com
/"\   ASCII Ribbon Campaign  | NorthWind Communications
\ / - NO HTML/RTF in e-mail  | 201 East 9Th Avenue Ste.310
 X  - NO Word docs in e-mail | Anchorage, AK 99501
/ \  - Please visit Alaska Paradise - http://akparadise.byethost33.com
---------------------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060120/dc19552f/attachment.bin