View previous topic :: View next topic |
Author |
Message |
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Dec 04, 2002 4:43 pm Post subject: How to create a key for Putty to connect a Gentoo box |
|
|
Dear All
I would like to use putty from Win-dows to connect my Gentoo box (ssh).
The Gentoo security guide explain prretty well how to create a key if you are on a Linux client .But not for a Win_dows Client
My gentoo seem to be well setup , because the key are loading during the boot .
And I setup the /etc/ssh/sshd_config file as notice on the security guide.
But I don't know how to create a key on a Win_dows system |
|
Back to top |
|
|
xpunkrockryanx Tux's lil' helper
Joined: 22 Sep 2002 Posts: 87 Location: College Place, WA, USA
|
Posted: Wed Dec 04, 2002 5:32 pm Post subject: |
|
|
it should work right out of the box... no need to do anything extra. just open putty, put the ip address in, select ssh (rather than telnet) and hit enter.
if you've tried that, what error is it that you're getting?
-ryan |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Dec 04, 2002 6:01 pm Post subject: |
|
|
Yes I did
always the same error :
Network error : connection refused
But do I have to log on my Wind system as a root or a wheel user ? |
|
Back to top |
|
|
magnuson n00b
Joined: 20 Nov 2002 Posts: 20
|
Posted: Wed Dec 04, 2002 6:06 pm Post subject: |
|
|
Are you trying to connect using a password challange or using a public key method? If it's just a standard password then vibidoo is right, and putty should just work. On the other hand if you want to use a dsa key to connect with you need to convert the private key you generated with openssh to a format that putty can understand using puttygen.exe which you can find on the putty website.
putty has extensive documentation on this sort of thing
http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8.2.12 |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Wed Dec 04, 2002 6:15 pm Post subject: sshd_config |
|
|
Does your sshd_config contain this line:
Code: |
ListenAddress 127.0.0.1
|
If it does, comment it out and restart sshd.
kashani, who is off to have words with the whoever put that config into the security doc. _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
solatis Apprentice
Joined: 06 Nov 2002 Posts: 214 Location: University of Twente, The Netherlands
|
Posted: Wed Dec 04, 2002 6:44 pm Post subject: |
|
|
When I emerged it, i did /etc/init.d/sshd start and it created the keys on the fly... _________________ Grtz,
Leon Mergen
http://www.solatis.com/ |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Dec 04, 2002 6:52 pm Post subject: |
|
|
:Kashani:
Yes
I have ListenAddress 127.0.0.1 on /etc/ssh/sshd_config
I will try to comment it out and to restart sshd.
:Solatis:
My problem is not on my gentoo Box ,I guess I have the right key
On /etc/ssh , I have many key file as : ssh_host_dsa_key , ssh_host_dsa_key.pub , ssh_host_rsa_key ssh_host_key_rsa.pub , ssh_host_key ssh_host_key.pub .
My problem is on my wind_ows system , I use it as a client to connect the gentoo , and putty.exe always send me the same error |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Dec 04, 2002 7:06 pm Post subject: |
|
|
:magnuson:
I downloaded puttytgen to generate public and private keys pair on my Wind-ows system.
Once keys are generated what to do with ? |
|
Back to top |
|
|
Jester Tux's lil' helper
Joined: 03 Aug 2002 Posts: 128 Location: Nashville, Tennessee
|
Posted: Wed Dec 04, 2002 8:38 pm Post subject: |
|
|
I'm having a similar problem. I just installed SSH the other day on my Gentoo box, and it was working fine until I rebooted. Now that I've rebooted, it seems not to be working. I tried to SSH in using Putty, and it "actively refused" my connection. So, thinking it was maybe a Putty problem, I tried it from my other Gentoo box. That one got the same error, so of course I'm thinking that there's something wrong with my setup or something....I originally posted the same thing at the last post of this thread
Feel free to answer my other questions...! |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Wed Dec 04, 2002 9:50 pm Post subject: |
|
|
Jester wrote: | I'm having a similar problem. I just installed SSH the other day on my Gentoo box, and it was working fine until I rebooted. Now that I've rebooted, it seems not to be working. I tried to SSH in using Putty, and it "actively refused" my connection. So, thinking it was maybe a Putty problem, I tried it from my other Gentoo box. That one got the same error, so of course I'm thinking that there's something wrong with my setup or something....I originally posted the same thing at the last post of this thread
Feel free to answer my other questions...! |
I might answer it if you reverted back to the original sshd_config, did you?
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Dec 04, 2002 10:54 pm Post subject: |
|
|
Kashani
you were right I uncomment
ListenAddress 127.0.0.1
And I can connect to my ssh port
Thanks A lot |
|
Back to top |
|
|
Jester Tux's lil' helper
Joined: 03 Aug 2002 Posts: 128 Location: Nashville, Tennessee
|
Posted: Thu Dec 05, 2002 2:07 am Post subject: |
|
|
Okay, well, I thought the problem was cos the service wasn't starting up at boot, but that's not it....My sshd_config file looks okay, but I'm no expert, either. Here's the important stuff it contains....
Code: |
Port 22
Protocol 2
ListenAddress 127.0.0.1
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
AllowGroups wheel admin
AllowUsers chris jester
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#rhosts authentication should not be used
RhostsAuthentication no
#Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
#For this to work you will also need host keys in etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
#similar for protocol version 2
#HostbasedAuthentication no
#Change to yes if you don't trust ~/.ssh/known_hosts for
#RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
#To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
#Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
#Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
#Set this to 'yes' to enable PAM keyboard-interactive authentication
#Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
#no default banner path
#Banner /some/path
#VerifyReverseMapping no
#override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server |
I don't know why it's not working, but I'm also a total n00b to Linux, so that's not surprising! I'm not even sure what's necessary to uncomment and what's not...
Any help would be GREATLY appreciated!
Thanks! |
|
Back to top |
|
|
Jester Tux's lil' helper
Joined: 03 Aug 2002 Posts: 128 Location: Nashville, Tennessee
|
Posted: Thu Dec 05, 2002 3:19 am Post subject: |
|
|
Okay, well, actually, I just restored my original sshd_config file, and that made everything okay. It seems that the line giving me the trouble was
Code: | ListenAddress 127.0.0.1 |
The minute I commented that line out and restarted the service, it would work fine.
Now, does anybody happen to have any suggestions for me on how to edit the file for the best security/functionality? Is X11 forwarding a huge security hole? It kinda sounds neat, like it's a terminal server or something. |
|
Back to top |
|
|
riceboy50 n00b
Joined: 12 Nov 2002 Posts: 48 Location: Southern CA
|
Posted: Thu Dec 05, 2002 4:27 am Post subject: |
|
|
A point of interest in this discussion is the generation of server keys for your sshd. When I was setting up my sshd I had to read a thread (not sure where anymore) that said to add sshd into the boot runlevel and reboot. The appropriate keys (ones you have uncommented in sshd_config file) will automatically be generated by the runscript. That's how I solved my problem. _________________ I am logged on therefore I am... |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Thu Dec 05, 2002 9:37 am Post subject: |
|
|
Well now I can not identify
root and my wheel user are always access denied |
|
Back to top |
|
|
magnuson n00b
Joined: 20 Nov 2002 Posts: 20
|
Posted: Thu Dec 05, 2002 2:12 pm Post subject: |
|
|
Is it just those two usernames or can regular user accounts conenct? In any case I would check your /etc/passwd to make sure that those users have default shells defined. That is, after the last colon the should be something like /bin/bash. Like so...
magnuson:x:2537:100::/home/magnuson:/bin/bash
Replace /bin/bash with your favorite shell.
I don't think that this would prevent users in the wheel group from logging in but just for giggles you might also what to check your sshd_config file for the entry PermitRootLogin. It defaults to "yes" so unless you changed it there shouldn't be a problem there. |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Thu Dec 05, 2002 3:46 pm Post subject: |
|
|
I just have two users for testing
The root and a wheel user .
on etc/passwd I set /bin/bash as shell .
Still have access denied |
|
Back to top |
|
|
Jester Tux's lil' helper
Joined: 03 Aug 2002 Posts: 128 Location: Nashville, Tennessee
|
Posted: Thu Dec 05, 2002 4:05 pm Post subject: |
|
|
You may wanna try doing what I did and just rename your current sshd_config file and then restore your default file (provided you didn't just overwrite it) and make settings changes one line at a time, based on what you want to accomplish with it. That way, you can narrow it down to what line specifically is causing the problem. Just a suggestion, though...I'm by no means qualified to say, "This is what you SHOULD DO..." heheheh |
|
Back to top |
|
|
riceboy50 n00b
Joined: 12 Nov 2002 Posts: 48 Location: Southern CA
|
Posted: Thu Dec 05, 2002 7:20 pm Post subject: |
|
|
Here is something to try with your sshd_config:
Comment out every line except the Port, HostKey, and Subsystem lines. Then erase the current server keys and init the runlevel in which sshd resides. By erasing the current keys and restarting sshd from it's runlevel you will regenerate new keys. I also don't claim that this will work, just something to try. _________________ I am logged on therefore I am... |
|
Back to top |
|
|
doug-x07 Tux's lil' helper
Joined: 16 Nov 2002 Posts: 122 Location: Paris, France
|
Posted: Thu Dec 05, 2002 10:55 pm Post subject: |
|
|
You should also check whether your authorized_keys file is group writeable. If it is sshd will refuse to use it and refuse the connection. So change the permissions if needed.
You can get much more detailed session logging by setting the logging option in putty to Log ssh packet data and by setting in sshd_config LogLevel to VERBOSE or DEBUG. That way you'll get detailed information on why connections are being refused.
Vibidoo are you using public key authentication or just password challenge ? _________________ #! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; } |
|
Back to top |
|
|
|