sshd configuration to use SSH Keys
0
18.10 install. I'm asking about sshd_config (in /etc/ssh/)
How do I permit/authenticate sshd keys?
When I log in from another Ubuntu instance, password works fine. ssh-copy-id should have set up the keys in the proper files (verified permission on directory, key file, authorizedhosts file entries match) Attempts to ssh in still demanded password. No reference in auth.log to authentication attempt.
I uncommented/permitted one of the host keys in the existing sshd_config
I added the AuthenticationMethods publickey, password line.
(authenticationmethods did not previously exist in the file, or was commented out)
A subsequent attempt to connect was completely blocked.
When I examined the auth.log (debug1 level), I did not see any reference to a key validation had been made.
What do I need to configure in sshd_config in order that ssh key are usable?
What am i missing?
(I had expected that this would work out of the box)
ssh sshd
edited Jan 13 at 2:32
terdon♦
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
migrated from meta.askubuntu.com Jan 13 at 2:31
This question came from our discussion, support, and feature requests site for Ubuntu users and developers.
add a comment |
0
18.10 install. I'm asking about sshd_config (in /etc/ssh/)
How do I permit/authenticate sshd keys?
When I log in from another Ubuntu instance, password works fine. ssh-copy-id should have set up the keys in the proper files (verified permission on directory, key file, authorizedhosts file entries match) Attempts to ssh in still demanded password. No reference in auth.log to authentication attempt.
I uncommented/permitted one of the host keys in the existing sshd_config
I added the AuthenticationMethods publickey, password line.
(authenticationmethods did not previously exist in the file, or was commented out)
A subsequent attempt to connect was completely blocked.
When I examined the auth.log (debug1 level), I did not see any reference to a key validation had been made.
What do I need to configure in sshd_config in order that ssh key are usable?
What am i missing?
(I had expected that this would work out of the box)
ssh sshd
edited Jan 13 at 2:32
terdon♦
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
migrated from meta.askubuntu.com Jan 13 at 2:31
This question came from our discussion, support, and feature requests site for Ubuntu users and developers.
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13
add a comment |
0
0
0
18.10 install. I'm asking about sshd_config (in /etc/ssh/)
How do I permit/authenticate sshd keys?
When I log in from another Ubuntu instance, password works fine. ssh-copy-id should have set up the keys in the proper files (verified permission on directory, key file, authorizedhosts file entries match) Attempts to ssh in still demanded password. No reference in auth.log to authentication attempt.
I uncommented/permitted one of the host keys in the existing sshd_config
I added the AuthenticationMethods publickey, password line.
(authenticationmethods did not previously exist in the file, or was commented out)
A subsequent attempt to connect was completely blocked.
When I examined the auth.log (debug1 level), I did not see any reference to a key validation had been made.
What do I need to configure in sshd_config in order that ssh key are usable?
What am i missing?
(I had expected that this would work out of the box)
ssh sshd
edited Jan 13 at 2:32
terdon♦
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
18.10 install. I'm asking about sshd_config (in /etc/ssh/)
How do I permit/authenticate sshd keys?
When I log in from another Ubuntu instance, password works fine. ssh-copy-id should have set up the keys in the proper files (verified permission on directory, key file, authorizedhosts file entries match) Attempts to ssh in still demanded password. No reference in auth.log to authentication attempt.
I uncommented/permitted one of the host keys in the existing sshd_config
I added the AuthenticationMethods publickey, password line.
(authenticationmethods did not previously exist in the file, or was commented out)
A subsequent attempt to connect was completely blocked.
When I examined the auth.log (debug1 level), I did not see any reference to a key validation had been made.
What do I need to configure in sshd_config in order that ssh key are usable?
What am i missing?
(I had expected that this would work out of the box)
ssh sshd
ssh sshd
edited Jan 13 at 2:32
terdon♦
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
edited Jan 13 at 2:32
terdon♦
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
edited Jan 13 at 2:32
terdon♦
66.3k12138221
edited Jan 13 at 2:32
terdon♦
66.3k12138221
edited Jan 13 at 2:32
terdon♦
66.3k12138221
66.3k12138221
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
asked Jan 12 at 19:16
Kermit TensmeyerKermit Tensmeyer
61
61
migrated from meta.askubuntu.com Jan 13 at 2:31
This question came from our discussion, support, and feature requests site for Ubuntu users and developers.
migrated from meta.askubuntu.com Jan 13 at 2:31
This question came from our discussion, support, and feature requests site for Ubuntu users and developers.
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13
add a comment |
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13
add a comment |
1 Answer
1
active
oldest
votes
0
Your sshd_config is missing many fields my working version has, mayge that's the problem.
Here's mine which does keylogin for me successfully, based on the sample in /usr/share/doc/openssh-client/examples/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109266%2fsshd-configuration-to-use-ssh-keys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
Your sshd_config is missing many fields my working version has, mayge that's the problem.
Here's mine which does keylogin for me successfully, based on the sample in /usr/share/doc/openssh-client/examples/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
add a comment |
0
Your sshd_config is missing many fields my working version has, mayge that's the problem.
Here's mine which does keylogin for me successfully, based on the sample in /usr/share/doc/openssh-client/examples/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
add a comment |
0
0
0
Your sshd_config is missing many fields my working version has, mayge that's the problem.
Here's mine which does keylogin for me successfully, based on the sample in /usr/share/doc/openssh-client/examples/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
Your sshd_config is missing many fields my working version has, mayge that's the problem.
Here's mine which does keylogin for me successfully, based on the sample in /usr/share/doc/openssh-client/examples/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
answered Jan 15 at 16:24
ubfan1ubfan1
9,54141629
9,54141629
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
add a comment |
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no
– Kermit Tensmeyer
Jan 17 at 22:19
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
a few minor differences that i can see. The default values are usually commented out. my version for display eliminated all of the comments to reduce space. so you have PasswordAuthentication no HostbasedAuthentication no Protocol 2 ( i think the current version doesn't track any protocol 1 attributes anymore) UsePrivilegeSeparation yes ( this one i havn't seen before)
– Kermit Tensmeyer
Jan 17 at 22:25
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
my copy (this time with comments)
– Kermit Tensmeyer
Jan 17 at 22:26
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109266%2fsshd-configuration-to-use-ssh-keys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
According to help.ubuntu.com/lts/serverguide/openssh-server.html.en you need to add the line: PubkeyAuthentication yes to the /etc/ssh/sshd_config file
– ubfan1
Jan 13 at 6:24
yes, this was already enabled.
– Kermit Tensmeyer
Jan 14 at 2:51
More detail on various other items to set in sshd_config in linux-sys-adm.com/… (like PasswordAuthentication no). Post your /etc/ssh/sshd_config so we may make suggestions for changes.
– ubfan1
Jan 14 at 4:31
with comments stripped: HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTH LogLevel Debug PermitRootLogin prohibit-password PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes X11Forwarding yes PrintMotd no TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
– Kermit Tensmeyer
Jan 15 at 14:07
I added a missing RSAAuthentication yes (restarted ssh) and the remote ssh still required a password. re-applying the AuthenticationMethods publickey,password line still blocked all remote access. is this something new with 18.10? :-)
– Kermit Tensmeyer
Jan 15 at 14:13