problem on sshd setup: public key support

From: Wenjie (gokkog_at_yahoo.com)
Date: 07/05/04 

Date: 5 Jul 2004 01:40:27 -0700

Hello,

Thanks for the suggestions concerning ssh account strategy.
Now I have some problem to setup public key authentication:
(I test within my LAN from to ethernet connection).

BTW, I got a timeout message when accessing my linux box
outside of the LAN, perhaps owing to network traffic.

client:
mylocalmachine@www.dayspot.com's password:
Access denied
Server refused our key

server:
sshd[6624]: Server listening on 0.0.0.0 port 22.
sshd[6631]: Could not reverse map address LAN_external_IP.
sshd[6631]: error: key_read: uudecode ...rsa-key-20040704 failed

# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12
markus Exp $

# This is the sshd server system-wide configuration
file. See
# sshd_config(5) for more information.

# This sshd was compiled with
PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts
for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to
no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS
kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive
authentication
# Warning: enabling this may bypass the setting of
'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Relevant Pages

  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
    (microsoft.public.windows.server.security)
  • Re: Attempting my first port forwarding through SSH
    ... you're surfing via the remote system with no software on the remote server other than sshd. ... I have changed some settings in the Firefox network set up to see if the problem solved, I changed socks5 for socks4 but nothing, and deleted the "No proxy for:localhost" to see if anything worked, but basically the browser still does nothing, I think my Firefox settings are correct. ... # To enable empty passwords, ... # Kerberos options ...
    (comp.security.ssh)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • SSH Close to working, but need help!
    ... connecting to host with "public authentication failed for user xxx" ... Protocol 2,1 ... # To disable tunneled clear text passwords, ... # Kerberos TGT Passing only works with the AFS kaserver ...
    (comp.security.ssh)