I have setup SSH on my linux box. I ran the genkey command to create my rsa1,rsa and dsa keys. I edited the sshd_config file and made the following entries: sshd_config

# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers dabeast

# Everything that isn't above

DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd

When I connect using PUTTY I can put my login name: dabeast and then when I attempt to put my password in it says access denied and cuts off. Any ideas?

Get anything in your logfiles that might narrow it down? SSHD or PAM messages?

What about commenting out the AllowGroups/DenyGroups AllowUsers/DenyUsers statements: does it work then? Also, why are you using both Groups and Users, wouldn't one be sufficient?

Additionally, if you are IN (supplementary group) any of the DenyGroups, it WILL deny you.

By the way, I have a group on my box called "sshusers". I have "AllowGroups sshusers" and add users to that group as needed. All other users are automatically denied, by this action.

I have disabled PAM and my other question is under sshd_config if I wanted to change the port that ssh runs on would I just do it in there and or would I also have to change it /etc/services?

Only the sshd_config change is neccessary.

Yes, check /var/log/messages and/or /var/log/syslog to see what's going on.

I would advise against rsa1. Do you have a line like the following in sshd_config?

When you say you generated your keys, do you mean the server keys (in /etc/ssh) or user keys (in /home/dabeast/.ssh/)?

I believe that if you want to do key authentication, you need the following lines in /etc/ssh/sshd_config:

It's also a good idea to specify (in sshd_config):

Then you'll have to copy your user's public key(s) into authorized_keys

The last step for it to work, is to add them to pageant. That will allow putty to automatically use your user's public key when connecting to your server.

Hope this helps,

Garry

ps. If you generated your user's keys without a "password", you can connect via ssh using keypair authentication only (no need to enter any password). To do that, you just need to add the following to sshd_config:

If that is what you want, it's probably simplest to do this part last.

Don't forget to restart your sshd daemon after editing the config file.

what is pagent?

can you please show me one of your sshd_config files so that I may compare with mine? thanks

pageant comes with putty. It's role is (more or less) to automaticaly provide the public key to putty (or pftp, etc) when connecting to a ssh server that requests a public key. When you run it, it sits in your system tray. Just double-click on the icon and choose "add key". The rest is self-explanatory...

Good luck,

Garry

the PAGENT agent is asking me for a Putty *ppk file. How can I convert the *pub file into that format. I am at work using a windows machine trying to connect to my linux box!

Is my id_rsa.pub the public key that I need to convert to Putty format in order to be able to use PAGENT. I was reading a little bit about ssh2 format and they are different for different programs like PUTTY OPENSSH and etc.. Please clarify! thanks

Yes, I forgot that you have to convert your user's .pub file to a .ppk. This is possible with puttygen (also part of the putty* tools).

Then you run pageant and add the file (you'll have to do this each time unless you create a shortcut that automatically opens the .ppk keyfile). This should do the trick:

From there on, it's smooth sailing (I promose). I just copied the pageant shortcut into my startup folder so it's always in the system tray.

I'm even thinking I don't really need a keyboard/monitor connected to my linux box anymore. Found I switch the KVM over to it much less frequently now that SSH is working.

Good luck,

Garry

It still doesnt work. Awnser me one question! Have you seen this happen before where you type in the user name and then swoosh everything disappears. Is this the authenications doing this?

When I generated my keys I placed them in etc/ssh directory. Should I copy my ID_RSA.PUB key to the ~/.ssh/authorized_key and is ~ mean your root or is that a separate folder somewhere in cyberspace. Also is authorized_key a file or a folder and if it is a file do I just add the path of my ID_RSA.PUB file inside of authorized_key file? I am a little confused!

Well, I believe putty shuts the window. I'm pretty sure it happened to me before I correctly imported the keys in pageant. If you check your ssh logs (I can't remember if the default place is /var/log/syslog or /var/log/messages, but it should be clear if you look at the end of the files). (ie. tail <file>)

The location of they keys is one of the questions I attempted to clarify in my 1st post under this subject. There are 2 sets of keys -- one for the server (in /etc/ssh) and one for the user (in ~/.ssh). Notice the "." (period). And "~" means the user's home directory (if you're logged in as root, it's /root; if a user, it'll be /home/<user>). I would not use the same keys for the server and for the user. That's a very bad idea. Plus it defeats the purpose of key authentication.

oh. forgot to clarify. authorized_keys is a file. You can just copy the id_rsa.pub file to the same folder as I mentioned above:

It's a good idea to re-generate the server's keys (as you've already done). Just create a .ssh folder in your /home directory and do it for your user too. (Specifying a passphrase is optional; really a matter of preference.) Then you copy the /home/user/.ssh/*.pub file into a file called authorized_keys. Also copy that .pub file to your windows machine, import it into puttygen, and save the .ppk file. Then you can open that with pageant and run putty. It may prompt you for the user name , but if you disabled login and didn't specify a passphrase, that should be it. Also, you can set a default username to use in putty.

Garry