sshd question

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Jan 19 23:58:12 PST 2006


Peter wrote:
> --- Beech Rintoul <akbeech at gmail.com> wrote:
> 
>> I'm trying to set up ssh to use keys to authenticate on a remote server.
>> I've 
>> always used passwords in the past. I generated a key pair and exported
>> my 
>> public key to ~/.ssh/authorized_keys on the remote machine. I changed 
>> sshd_config to "PasswordAuthentication no". when I login the remote
>> machine 
>> still asks for a password. What do I change to just use the key to log
>> in? 
> 
> I'm assuming you do not want to enter anything to log in right?  If so,
> you need a private key with a blank passphrase.  It's hard to say from
> here but it may be that you are being prompted for the passphrase to
> unlock your private key.

No, no, no.  ssh keys with out pass-phrases are a liability.  It really is a
bad idea to do that.

What the OP should do instead is use ssh-agent -- I fire it up from .xsession
when I log into my desktop.  Then load your key into the agent:

    ssh-add ~/.ssh/id_dsa

which will require you to give the pass phrase.  However, that's the one and
only time you'll need to do that.

Then when you ssh into a box, it should auth against your key automatically.  If
you take care to always use the '-A' flag when you ssh in:

    ssh -A hostname

then you can bounce through several machines, and the auth requests will be
relayed back to the ssh-agent on your desktop.[*]

	Cheers,

	Matthew

[*] Agent forwarding is off by default in /etc/ssh/ssh_config (client side)
but permitted in /etc/ssh/sshd_config (server side) -- but the -A flag
overrides the client settings.

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060120/3dda071e/signature.bin


More information about the freebsd-questions mailing list