Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup SSH on my linux box. I ran the genkey command to create my rsa1,rsa and dsa keys. I edited the sshd_config file and made the following entries: sshd_config
# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers dabeast
# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd
When I connect using PUTTY I can put my login name: dabeast and then when I attempt to put my password in it says access denied and cuts off. Any ideas?
Last edited by metallica1973; 08-11-2005 at 05:45 PM.
Get anything in your logfiles that might narrow it down? SSHD or PAM messages?
What about commenting out the AllowGroups/DenyGroups AllowUsers/DenyUsers statements: does it work then? Also, why are you using both Groups and Users, wouldn't one be sufficient?
Additionally, if you are IN (supplementary group) any of the DenyGroups, it WILL deny you.
By the way, I have a group on my box called "sshusers". I have "AllowGroups sshusers" and add users to that group as needed. All other users are automatically denied, by this action.
I have disabled PAM and my other question is under sshd_config if I wanted to change the port that ssh runs on would I just do it in there and or would I also have to change it /etc/services?
The last step for it to work, is to add them to pageant. That will allow putty to automatically use your user's public key when connecting to your server.
Hope this helps,
Garry
ps. If you generated your user's keys without a "password", you can connect via ssh using keypair authentication only (no need to enter any password). To do that, you just need to add the following to sshd_config:
Code:
PasswordAuthentication no
If that is what you want, it's probably simplest to do this part last.
Don't forget to restart your sshd daemon after editing the config file.
pageant comes with putty. It's role is (more or less) to automaticaly provide the public key to putty (or pftp, etc) when connecting to a ssh server that requests a public key. When you run it, it sits in your system tray. Just double-click on the icon and choose "add key". The rest is self-explanatory...
the PAGENT agent is asking me for a Putty *ppk file. How can I convert the *pub file into that format. I am at work using a windows machine trying to connect to my linux box!
Is my id_rsa.pub the public key that I need to convert to Putty format in order to be able to use PAGENT. I was reading a little bit about ssh2 format and they are different for different programs like PUTTY OPENSSH and etc.. Please clarify! thanks
Yes, I forgot that you have to convert your user's .pub file to a .ppk. This is possible with puttygen (also part of the putty* tools).
Then you run pageant and add the file (you'll have to do this each time unless you create a shortcut that automatically opens the .ppk keyfile). This should do the trick:
Code:
"C:\<folder where you unzipped putty>\pageant.exe" <server>.ppk
From there on, it's smooth sailing (I promose). I just copied the pageant shortcut into my startup folder so it's always in the system tray.
I'm even thinking I don't really need a keyboard/monitor connected to my linux box anymore. Found I switch the KVM over to it much less frequently now that SSH is working.
It still doesnt work. Awnser me one question! Have you seen this happen before where you type in the user name and then swoosh everything disappears. Is this the authenications doing this?
When I generated my keys I placed them in etc/ssh directory. Should I copy my ID_RSA.PUB key to the ~/.ssh/authorized_key and is ~ mean your root or is that a separate folder somewhere in cyberspace. Also is authorized_key a file or a folder and if it is a file do I just add the path of my ID_RSA.PUB file inside of authorized_key file? I am a little confused!
Well, I believe putty shuts the window. I'm pretty sure it happened to me before I correctly imported the keys in pageant. If you check your ssh logs (I can't remember if the default place is /var/log/syslog or /var/log/messages, but it should be clear if you look at the end of the files). (ie. tail <file>)
The location of they keys is one of the questions I attempted to clarify in my 1st post under this subject. There are 2 sets of keys -- one for the server (in /etc/ssh) and one for the user (in ~/.ssh). Notice the "." (period). And "~" means the user's home directory (if you're logged in as root, it's /root; if a user, it'll be /home/<user>). I would not use the same keys for the server and for the user. That's a very bad idea. Plus it defeats the purpose of key authentication.
oh. forgot to clarify. authorized_keys is a file. You can just copy the id_rsa.pub file to the same folder as I mentioned above:
Code:
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
It's a good idea to re-generate the server's keys (as you've already done). Just create a .ssh folder in your /home directory and do it for your user too. (Specifying a passphrase is optional; really a matter of preference.) Then you copy the /home/user/.ssh/*.pub file into a file called authorized_keys. Also copy that .pub file to your windows machine, import it into puttygen, and save the .ppk file. Then you can open that with pageant and run putty. It may prompt you for the user name , but if you disabled login and didn't specify a passphrase, that should be it. Also, you can set a default username to use in putty.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.