0

Alright I have read many many articles and followed a few different tutorials and I can not get my RSA key to work on my centos servers. The servers are running centos 6.5 with FreePBX on them and I am trying to get this to work from my Ubuntu VM on my laptop so we can build a central server to ssh from so I can run scripts to change things on all servers with minimal work since we have over 70 of these servers so far and rising quickly but it won't work. I have stared out some the log but those parst don't need to be displayed n the public internet but the user is the root user (not just a sudoer but the root user) 

mitch@ubuntu:~$ ssh -v ******@*******.com
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ********.com [***.***.***.***] port 22.
debug1: Connection established.
debug1: identity file /home/mitch/.ssh/id_rsa type 1
debug1: identity file /home/mitch/.ssh/id_rsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_dsa type 2
debug1: identity file /home/mitch/.ssh/id_dsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_ecdsa type -1
debug1: identity file /home/mitch/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mitch/.ssh/id_ed25519 type -1
debug1: identity file /home/mitch/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ************************************************
debug1: Host '*********.com' is known and matches the RSA host key.
debug1: Found key in /home/mitch/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mitch/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /home/mitch/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/mitch/.ssh/id_ecdsa
debug1: Trying private key: /home/mitch/.ssh/id_ed25519
debug1: Next authentication method: password
******@************.com's password:
Kenster
  • 2,152
  • 16
  • 16
schee77mr
  • 3
  • 4
  • Your client offered `/home/mitch/.ssh/id_rsa` and `.../id_dsa` to the server, but the server didn't accept them. You'll need to troubleshoot this on the server. What did you do to the server for it to accept these these keys? – Kenster Oct 05 '14 at 19:19
  • I put the keys in the `~/.ssh/authorized_keys` and did a `chmod 700 /.ssh` and a `chmod 600 /.ssh/authorized_keys` I tried running `restorecon -Rv ~ /. ssh` I also tried copying the keys to `etc /etc/ssh/ssh_known_hosts` as recommended by /etc/ssh/sshd_config even though that directory did not exist. – schee77mr Oct 05 '14 at 19:23
  • Check the logs on the server. – Michael Hampton Oct 05 '14 at 19:32
  • `Oct 5 15:40:56 sp69 sshd[16774]: Authentication refused: bad ownership or modes for directory /home/******` and that directory shows `drwxr-xr-x 3 503` – schee77mr Oct 05 '14 at 19:48

1 Answers1

0

Sorry in advance for my English, as it's not my first language :)

First, mount your remote shared folder, for example, in /root/.ssh/

Still on your central server, create your key's like this :

ssh-keygen -t rsa -C "user@remotehost"

It will ask you the following :

Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa):

Type something like :

/root/.ssh/NameOfSSHKeyFile

I strongly suggest you to choose a strong password, different for each key's. Use a good local password manager.

In order to login using the ssh key, ON THE REMOTE SERVER you need to add your public key in this file :

/root/.ssh/authorized_keys

The public key is usually in the ~/.ssh/ folder, and the file extension is .pub (so should be /root/.ssh/NameOfSSHKeyFile.pub if you followed my examples)

Then, chmod the files :

chmod 400 ~/.ssh/*

If it still doesn't work :

Seems like you may require to add the key to your ssh wallet. It only searched for your ssh key in theses files

ebug1: identity file /home/mitch/.ssh/id_rsa type 1 debug1: identity file /home/mitch/.ssh/id_rsa-cert type -1 debug1: identity file /home/mitch/.ssh/id_dsa type 2 debug1: identity file /home/mitch/.ssh/id_dsa-cert type -1 debug1: identity file /home/mitch/.ssh/id_ecdsa type -1 debug1: identity file /home/mitch/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/mitch/.ssh/id_ed25519 type -1 debug1: identity file /home/mitch/.ssh/id_ed25519-cert type -1

...but it didn't found it.

Let's add the key to wallet then : 

ssh-add .ssh/NameOfSSHKeyFile

Voilà :)

Oh! and for better security : 

ssh-add -D

...is going to remove the key's from your wallet. Please use it :

You are always better to do this after each intervention.

And don't forget once you created the .pub file, you no longer require to keep it on your Central Server : the .pub key file need to be on the remote server only.

Delete it once it's in the authorized_keys file on the remote server.

You can also restrict your ssh keys per ip. On the remote server, in /root/.ssh/authorized_keys, you can add from="" to restrict usage of your key on a per ip basis :

It would give something like : 

from="CENTRA-SERVER-IP-ADDRESS" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHvpIcRLrfmdRb+cK48ooYYLNddaayE5hG5KmHsASKork/T1MvRB3WQJOvJetkM2v7H2G76w90Gr5QpbBhCAD2BqOpIeUKo+npmmUASn48QUs4YzhYbkyRwGWOfrYiKl8oBk2ZXcEV6cL1bHH96OMrozKjrMer6JddvJEAqEEJjny0lg5j/raaDpoEXvPE8YM/oQcs64RUJWp3LwmFR8VO/mSLFSFbuulVDALPWICoWZ/VxE7mR9QhNBlY9Afwe//LDtitPg3eG1hoNLBHbxHpjImBt1ZdaQE4w0y4Nh07Q6E8aepYqNJsdFMZJERL58qGOYvnGTweOLZhtYQa+xNF test
Carl
  • 16
  • 1
  • That would have worked to it looks like, however I was trying to keep it out of the root directory.... Now I just have to see if I can mount a shared folder to the machine on a different server that will contain the keys! So I can manage the keys in one place. – schee77mr Oct 05 '14 at 20:02
  • Just mount the shared folder in /root/.ssh – Carl Oct 05 '14 at 20:19
  • ...or any other folder, in fact. If you mount the shared folder in /home for example, then ssh-add /home/path/to/ssh/key – Carl Oct 05 '14 at 20:23