Passwordless SSH login

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
25 messages Options
12
Bob
Reply | Threaded
Open this post in threaded view
|

Passwordless SSH login

Bob
I have set up SSH between two computers on my LAN and am trying to disable
password login.  SSH works between the computers.  I can login using
public/private keys.  What I have not been able to do is disable the password
login.

The instructions I am using
<https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
"no" and change "ChallengeResponseAuthentication" to "no".  That did not work
as I can still SSH to the computer and login to the computer using the
password.

When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
removed the comment and changed "yes" to "no".
"ChallengeResponseAuthentication" was not on the config file so I added it.
What else do I need to do?

--
Robert Blair


We hang the petty thieves and appoint the great ones to public office.  -- Aesop

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Karl Auer
On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
> I have set up SSH between two computers on my LAN and am trying to
> disable password login.

I'm wondering if you are confusing the password on the account with the
passphrase on the ssh key.

Also, each time you change the sshd configuration file you need to
restart the sshd server for the change to "take":

   systemctl restart sshd

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Robert Heller
In reply to this post by Bob
At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for general discussions" <[hidden email]> wrote:

>
> Content-Type: text/plain
>
> I have set up SSH between two computers on my LAN and am trying to disable
> password login.  SSH works between the computers.  I can login using
> public/private keys.  What I have not been able to do is disable the password
> login.
>

Check the IdentityFile setting in /etc/ssh/ssh_config

You need to make sure it is set to:

   IdentityFile ~/.ssh/id_rsa
   
I think Ubuntu sets it to:

   IdentityFile ~/.ssh/id_ecdsa

by default.

> The instructions I am using
> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
> "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
> as I can still SSH to the computer and login to the computer using the
> password.
>
> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
> removed the comment and changed "yes" to "no".
> "ChallengeResponseAuthentication" was not on the config file so I added it.
> What else do I need to do?
>

--
Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
[hidden email]       -- Webhosting Services
                                                                                     

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C
In reply to this post by Karl Auer


On 2/10/21 5:17 PM, Karl Auer wrote:
On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
I have set up SSH between two computers on my LAN and am trying to
disable password login.
I'm wondering if you are confusing the password on the account with the
passphrase on the ssh key.

Also, each time you change the sshd configuration file you need to
restart the sshd server for the change to "take":

   systemctl restart sshd

I think OP is trying to do key based logins. (host based or  priv/pub key pair?)

You can disable  'regular' password logins with  "PasswordAuthentication no" I believe, BUT, that would only allow logons from machines key based.

(you can also make changes in the pam stack,  but I'd be hesitant to do that)

If you'd go either route, I'd allow  root logins at the console, so that when something gets messed up with the keys (and users (including yourself) will mess up their keys), you'd still have a  reasonable way in.


R


Regards, K.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by Robert Heller
** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
2021 19:26:23 -0500 (EST)

> At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for
> general discussions" <[hidden email]> wrote:
>
> >
> > Content-Type: text/plain
> >
> > I have set up SSH between two computers on my LAN and am trying to disable
> > password login.  SSH works between the computers.  I can login using
> > public/private keys.  What I have not been able to do is disable the password
> > login.
> >
>
> Check the IdentityFile setting in /etc/ssh/ssh_config
>
> You need to make sure it is set to:
>
>    IdentityFile ~/.ssh/id_rsa
>    
> I think Ubuntu sets it to:
>
>    IdentityFile ~/.ssh/id_ecdsa
>
> by default.

Looking at /etc/ssh/ssh_config there is no IdentifyFile parameter, all are
commented out.  Which system does this need to be set, all of them or the
client or server?

When I generated the keys I specified rsa.  I would think that would be enough
for everything to work.


> > The instructions I am using
> > <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
> > edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
> > "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
> > as I can still SSH to the computer and login to the computer using the
> > password.
> >
> > When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
> > removed the comment and changed "yes" to "no".
> > "ChallengeResponseAuthentication" was not on the config file so I added it.
> > What else do I need to do?
> >
>
> --
> Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
> Deepwoods Software        -- Custom Software Services
> http://www.deepsoft.com/  -- Linux Administration Services
> [hidden email]       -- Webhosting Services
>                                                                                      
>
> --
> ubuntu-users mailing list
> [hidden email]
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

--
Robert Blair


The secret of freedom lies in educating people, whereas the secret of tyranny is in keeping them ignorant.  -- Maximilien Robespierre

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by R C
** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
-0700

> On 2/10/21 5:17 PM, Karl Auer wrote:
> > On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
> >> I have set up SSH between two computers on my LAN and am trying to
> >> disable password login.
> > I'm wondering if you are confusing the password on the account with the
> > passphrase on the ssh key.
> >
> > Also, each time you change the sshd configuration file you need to
> > restart the sshd server for the change to "take":
> >
> >     systemctl restart sshd
>
> I think OP is trying to do key based logins. (host based or priv/pub key
> pair?)

I am trying to only allow a key based login.


> You can disable  'regular' password logins with 
> "|PasswordAuthentication no" I believe, BUT, that would only allow
> logons from machines key based.|

Which is what I want.  I do have "PasswordAuthentication no".  The
documentation I have says that you also need "ChallengeResonpseAuthentication
no".


> |(you can also make changes in the pam stack,  but I'd be hesitant to do
> that)
> |
>
> |If you'd go either route, I'd allow  root logins at the console, so
> that when something gets messed up with the keys (and users (including
> yourself) will mess up their keys), you'd still have a  reasonable way in.
> |
>
>
> R
>
> >
> > Regards, K.

--
Robert Blair


Did you ever notice: When you put the 2 words ' The'   and ' IRS ' together it spells   'Theirs...'

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C

On 2/10/21 8:19 PM, Bob wrote:

> ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
> -0700
>
>> On 2/10/21 5:17 PM, Karl Auer wrote:
>>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
>>>> I have set up SSH between two computers on my LAN and am trying to
>>>> disable password login.
>>> I'm wondering if you are confusing the password on the account with the
>>> passphrase on the ssh key.
>>>
>>> Also, each time you change the sshd configuration file you need to
>>> restart the sshd server for the change to "take":
>>>
>>>      systemctl restart sshd
>> I think OP is trying to do key based logins. (host based or priv/pub key
>> pair?)
> I am trying to only allow a key based login.
>
>
>> You can disable  'regular' password logins with
>> "|PasswordAuthentication no" I believe, BUT, that would only allow
>> logons from machines key based.|
> Which is what I want.  I do have "PasswordAuthentication no".  The
> documentation I have says that you also need "ChallengeResonpseAuthentication
> no".
>

probably not necessary to ask, but, did you restart sshd? (systemctl
restart sshd)  after the changes ?  and if so   what does systemctl
status sshd say?


also,  you can see debugging info with ssh -v [hidden email],  or -vv or
-vvv  to see what methods it is trying.

>> |(you can also make changes in the pam stack,  but I'd be hesitant to do
>> that)
>> |
>>
>> |If you'd go either route, I'd allow  root logins at the console, so
>> that when something gets messed up with the keys (and users (including
>> yourself) will mess up their keys), you'd still have a  reasonable way in.
>> |
>>
>>
>> R
>>
>>> Regards, K.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C
In reply to this post by Bob

On 2/10/21 8:19 PM, Bob wrote:

> ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
> -0700
>
>> On 2/10/21 5:17 PM, Karl Auer wrote:
>>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
>>>> I have set up SSH between two computers on my LAN and am trying to
>>>> disable password login.
>>> I'm wondering if you are confusing the password on the account with the
>>> passphrase on the ssh key.
>>>
>>> Also, each time you change the sshd configuration file you need to
>>> restart the sshd server for the change to "take":
>>>
>>>      systemctl restart sshd
>> I think OP is trying to do key based logins. (host based or priv/pub key
>> pair?)
> I am trying to only allow a key based login.
>
>
>> You can disable  'regular' password logins with
>> "|PasswordAuthentication no" I believe, BUT, that would only allow
>> logons from machines key based.|
> Which is what I want.  I do have "PasswordAuthentication no".  The
> documentation I have says that you also need "ChallengeResonpseAuthentication
> no".


probably also unnecessary

you are changing/using the file "/etc/ssh/sshd_config" on the server, 
right?


>
>> |(you can also make changes in the pam stack,  but I'd be hesitant to do
>> that)
>> |
>>
>> |If you'd go either route, I'd allow  root logins at the console, so
>> that when something gets messed up with the keys (and users (including
>> yourself) will mess up their keys), you'd still have a  reasonable way in.
>> |
>>
>>
>> R
>>
>>> Regards, K.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Robert Heller
In reply to this post by Bob
At Wed, 10 Feb 2021 19:10:49 -0800 "Ubuntu user technical support, not for general discussions" <[hidden email]> wrote:

>
> Content-Type: text/plain
>
> ** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
> 2021 19:26:23 -0500 (EST)
>
> > At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for
> > general discussions" <[hidden email]> wrote:
> >
> > >
> > > Content-Type: text/plain
> > >
> > > I have set up SSH between two computers on my LAN and am trying to disable
> > > password login.  SSH works between the computers.  I can login using
> > > public/private keys.  What I have not been able to do is disable the password
> > > login.
> > >
> >
> > Check the IdentityFile setting in /etc/ssh/ssh_config
> >
> > You need to make sure it is set to:
> >
> >    IdentityFile ~/.ssh/id_rsa
> >    
> > I think Ubuntu sets it to:
> >
> >    IdentityFile ~/.ssh/id_ecdsa
> >
> > by default.
>
> Looking at /etc/ssh/ssh_config there is no IdentifyFile parameter, all are
> commented out.  Which system does this need to be set, all of them or the
> client or server?
>
> When I generated the keys I specified rsa.  I would think that would be enough
> for everything to work.

It needs to be set on the originating machine.  Do a "slogin -v" to see what
it is doing.  This should be enlightening.  It is possible that the compiled
in default is something other than ~/.ssh/id_rsa and the -v option will tell
you that.  If it is in fact something else, you need to include an
IdentityFile setting like I showed above.  You might need to do it on the
"other" machine if you ssh both ways.

>
>
> > > The instructions I am using
> > > <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
> > > edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
> > > "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
> > > as I can still SSH to the computer and login to the computer using the
> > > password.
> > >
> > > When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
> > > removed the comment and changed "yes" to "no".
> > > "ChallengeResponseAuthentication" was not on the config file so I added it.
> > > What else do I need to do?
> > >
> >
> > --
> > Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
> > Deepwoods Software        -- Custom Software Services
> > http://www.deepsoft.com/  -- Linux Administration Services
> > [hidden email]       -- Webhosting Services
> >                                                                                      
> >
> > --
> > ubuntu-users mailing list
> > [hidden email]
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>

--
Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
[hidden email]       -- Webhosting Services
                                                                           

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C

On 2/10/21 8:36 PM, Robert Heller wrote:

> At Wed, 10 Feb 2021 19:10:49 -0800 "Ubuntu user technical support, not for general discussions" <[hidden email]> wrote:
>
>> Content-Type: text/plain
>>
>> ** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
>> 2021 19:26:23 -0500 (EST)
>>
>>> At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for
>>> general discussions" <[hidden email]> wrote:
>>>
>>>> Content-Type: text/plain
>>>>
>>>> I have set up SSH between two computers on my LAN and am trying to disable
>>>> password login.  SSH works between the computers.  I can login using
>>>> public/private keys.  What I have not been able to do is disable the password
>>>> login.
>>>>
>>> Check the IdentityFile setting in /etc/ssh/ssh_config
>>>
>>> You need to make sure it is set to:
>>>
>>>     IdentityFile ~/.ssh/id_rsa
>>>    
>>> I think Ubuntu sets it to:
>>>
>>>     IdentityFile ~/.ssh/id_ecdsa
>>>
>>> by default.
>> Looking at /etc/ssh/ssh_config there is no IdentifyFile parameter, all are
>> commented out.  Which system does this need to be set, all of them or the
>> client or server?
>>
>> When I generated the keys I specified rsa.  I would think that would be enough
>> for everything to work.
> It needs to be set on the originating machine.  Do a "slogin -v" to see what
> it is doing.  This should be enlightening.  It is possible that the compiled
> in default is something other than ~/.ssh/id_rsa and the -v option will tell
> you that.  If it is in fact something else, you need to include an
> IdentityFile setting like I showed above.  You might need to do it on the
> "other" machine if you ssh both ways.
>
I believe he has the key-pairs working,  (generated on the client, and
added the pub one to the authorized_keys file on the server side)


>>
>>>> The instructions I am using
>>>> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
>>>> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
>>>> "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
>>>> as I can still SSH to the computer and login to the computer using the
>>>> password.
>>>>
>>>> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
>>>> removed the comment and changed "yes" to "no".
>>>> "ChallengeResponseAuthentication" was not on the config file so I added it.
>>>> What else do I need to do?
>>>>
>>> --
>>> Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
>>> Deepwoods Software        -- Custom Software Services
>>> http://www.deepsoft.com/  -- Linux Administration Services
>>> [hidden email]       -- Webhosting Services
>>>                                                                                      
>>>
>>> --
>>> ubuntu-users mailing list
>>> [hidden email]
>>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by R C
** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 20:25:00
-0700

> On 2/10/21 8:19 PM, Bob wrote:
> > ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
> > -0700
> >
> >> On 2/10/21 5:17 PM, Karl Auer wrote:
> >>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
> >>>> I have set up SSH between two computers on my LAN and am trying to
> >>>> disable password login.
> >>> I'm wondering if you are confusing the password on the account with the
> >>> passphrase on the ssh key.
> >>>
> >>> Also, each time you change the sshd configuration file you need to
> >>> restart the sshd server for the change to "take":
> >>>
> >>>      systemctl restart sshd
> >> I think OP is trying to do key based logins. (host based or priv/pub key
> >> pair?)
> > I am trying to only allow a key based login.
> >
> >
> >> You can disable  'regular' password logins with
> >> "|PasswordAuthentication no" I believe, BUT, that would only allow
> >> logons from machines key based.|
> > Which is what I want.  I do have "PasswordAuthentication no".  The
> > documentation I have says that you also need "ChallengeResonpseAuthentication
> > no".
> >
>
> probably not necessary to ask, but, did you restart sshd? (systemctl
> restart sshd)  after the changes ?  and if so   what does systemctl
> status sshd say?

>bob1@Juptier:~$ systemctl status sshd
   ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset:
enabled)
     Active: active (running) since Wed 2021-02-10 14:13:00 PST; 5h 33min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 14029 ExecStartPre=/usr/sbin/sshd -t (code=exited,
status=0/SUCCESS)
   Main PID: 14030 (sshd)
      Tasks: 1 (limit: 4514)
     Memory: 2.3M
     CGroup: /system.slice/ssh.service
             └─14030 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Feb 10 14:13:00 Juptier systemd[1]: Starting OpenBSD Secure Shell server...
Feb 10 14:13:00 Juptier sshd[14030]: Server listening on 0.0.0.0 port 22.
Feb 10 14:13:00 Juptier sshd[14030]: Server listening on :: port 22.
Feb 10 14:13:00 Juptier systemd[1]: Started OpenBSD Secure Shell server.
Feb 10 14:19:01 Juptier sshd[14047]: Accepted publickey for bob1 from
192.168.60.182 port 57830 ssh2: RSA
SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510
Feb 10 14:19:01 Juptier sshd[14047]: pam_unix(sshd:session): session opened for
user bob1 by (uid=0)
Feb 10 14:36:10 Juptier sshd[14132]: Accepted password for bob1 from
192.168.60.182 port 52326 ssh2
Feb 10 14:36:10 Juptier sshd[14132]: pam_unix(sshd:session): session opened for
user bob1 by (uid=0)
bob1@Juptier:~$
 
>
> also,  you can see debugging info with ssh -v [hidden email],  or -vv or
> -vvv  to see what methods it is trying.

I will try this.

Not sure it  will be helpful.  I think the problem is SSH configuration and the
information I have is most likely incorrect.


> >> |(you can also make changes in the pam stack,  but I'd be hesitant to do
> >> that)
> >> |
> >>
> >> |If you'd go either route, I'd allow  root logins at the console, so
> >> that when something gets messed up with the keys (and users (including
> >> yourself) will mess up their keys), you'd still have a  reasonable way in.
> >> |
> >>
> >>
> >> R
> >>
> >>> Regards, K.
>

--
Robert Blair


Government's view of the economy could be summed up in a few short phrases: If it moves, tax it.  If it keeps moving, regulate it.  And if it stops moving, subsidize it.  -- Ronald Reagan (1986)

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by R C
** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 20:29:44
-0700

> On 2/10/21 8:19 PM, Bob wrote:
> > ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
> > -0700
> >
> >> On 2/10/21 5:17 PM, Karl Auer wrote:
> >>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
> >>>> I have set up SSH between two computers on my LAN and am trying to
> >>>> disable password login.
> >>> I'm wondering if you are confusing the password on the account with the
> >>> passphrase on the ssh key.
> >>>
> >>> Also, each time you change the sshd configuration file you need to
> >>> restart the sshd server for the change to "take":
> >>>
> >>>      systemctl restart sshd
> >> I think OP is trying to do key based logins. (host based or priv/pub key
> >> pair?)
> > I am trying to only allow a key based login.
> >
> >
> >> You can disable  'regular' password logins with
> >> "|PasswordAuthentication no" I believe, BUT, that would only allow
> >> logons from machines key based.|
> > Which is what I want.  I do have "PasswordAuthentication no".  The
> > documentation I have says that you also need "ChallengeResonpseAuthentication
> > no".
>
>
> probably also unnecessary
>
> you are changing/using the file "/etc/ssh/sshd_config" on the server, 
> right?

Yes.


> >> |(you can also make changes in the pam stack,  but I'd be hesitant to do
> >> that)
> >> |
> >>
> >> |If you'd go either route, I'd allow  root logins at the console, so
> >> that when something gets messed up with the keys (and users (including
> >> yourself) will mess up their keys), you'd still have a  reasonable way in.
> >> |
> >>
> >>
> >> R
> >>
> >>> Regards, K.
>

--
Robert Blair


What this country needs are more unemployed politicians.  -- Edward Langley, Artist (1928-1995)

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Robert Heller
In reply to this post by Bob
At Wed, 10 Feb 2021 20:09:20 -0800 "Ubuntu user technical support, not for general discussions" <[hidden email]> wrote:

>
> Content-Type: text/plain
>
> ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 20:25:00
> -0700
>
> > On 2/10/21 8:19 PM, Bob wrote:
> > > ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
> > > -0700
> > >
> > >> On 2/10/21 5:17 PM, Karl Auer wrote:
> > >>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
> > >>>> I have set up SSH between two computers on my LAN and am trying to
> > >>>> disable password login.
> > >>> I'm wondering if you are confusing the password on the account with the
> > >>> passphrase on the ssh key.
> > >>>
> > >>> Also, each time you change the sshd configuration file you need to
> > >>> restart the sshd server for the change to "take":
> > >>>
> > >>>      systemctl restart sshd
> > >> I think OP is trying to do key based logins. (host based or priv/pub key
> > >> pair?)
> > > I am trying to only allow a key based login.
> > >
> > >
> > >> You can disable  'regular' password logins with
> > >> "|PasswordAuthentication no" I believe, BUT, that would only allow
> > >> logons from machines key based.|
> > > Which is what I want.  I do have "PasswordAuthentication no".  The
> > > documentation I have says that you also need "ChallengeResonpseAuthentication
> > > no".
> > >
> >
> > probably not necessary to ask, but, did you restart sshd? (systemctl
> > restart sshd)  after the changes ?  and if so   what does systemctl
> > status sshd say?
>
> >bob1@Juptier:~$ systemctl status sshd
>    ssh.service - OpenBSD Secure Shell server
>      Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset:
> enabled)
>      Active: active (running) since Wed 2021-02-10 14:13:00 PST; 5h 33min ago
>        Docs: man:sshd(8)
>              man:sshd_config(5)
>     Process: 14029 ExecStartPre=/usr/sbin/sshd -t (code=exited,
> status=0/SUCCESS)
>    Main PID: 14030 (sshd)
>       Tasks: 1 (limit: 4514)
>      Memory: 2.3M
>      CGroup: /system.slice/ssh.service
>              Ã¢Â””─14030 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
>
> Feb 10 14:13:00 Juptier systemd[1]: Starting OpenBSD Secure Shell server...
> Feb 10 14:13:00 Juptier sshd[14030]: Server listening on 0.0.0.0 port 22.
> Feb 10 14:13:00 Juptier sshd[14030]: Server listening on :: port 22.
> Feb 10 14:13:00 Juptier systemd[1]: Started OpenBSD Secure Shell server.
> Feb 10 14:19:01 Juptier sshd[14047]: Accepted publickey for bob1 from
> 192.168.60.182 port 57830 ssh2: RSA
> SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510
> Feb 10 14:19:01 Juptier sshd[14047]: pam_unix(sshd:session): session opened for
> user bob1 by (uid=0)
> Feb 10 14:36:10 Juptier sshd[14132]: Accepted password for bob1 from
> 192.168.60.182 port 52326 ssh2
> Feb 10 14:36:10 Juptier sshd[14132]: pam_unix(sshd:session): session opened for
> user bob1 by (uid=0)
> bob1@Juptier:~$
>  
> >
> > also,  you can see debugging info with ssh -v [hidden email],  or -vv or
> > -vvv  to see what methods it is trying.
>
> I will try this.
>
> Not sure it  will be helpful.  I think the problem is SSH configuration and the
> information I have is most likely incorrect.
It will show which key files are being used -- it is most likely it is using
the wrong ones, so you will need to add an IdentityFile config line to change
things.

>
>
> > >> |(you can also make changes in the pam stack,  but I'd be hesitant to do
> > >> that)
> > >> |
> > >>
> > >> |If you'd go either route, I'd allow  root logins at the console, so
> > >> that when something gets messed up with the keys (and users (including
> > >> yourself) will mess up their keys), you'd still have a  reasonable way in.
> > >> |
> > >>
> > >>
> > >> R
> > >>
> > >>> Regards, K.
> >
>
--
Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
[hidden email]       -- Webhosting Services
                   


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C
In reply to this post by Bob

On 2/10/21 9:09 PM, Bob wrote:

> ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 20:25:00
> -0700
>
>> On 2/10/21 8:19 PM, Bob wrote:
>>> ** Reply to message from R C <[hidden email]> on Wed, 10 Feb 2021 17:35:40
>>> -0700
>>>
>>>> On 2/10/21 5:17 PM, Karl Auer wrote:
>>>>> On Wed, 2021-02-10 at 15:49 -0800, Bob wrote:
>>>>>> I have set up SSH between two computers on my LAN and am trying to
>>>>>> disable password login.
>>>>> I'm wondering if you are confusing the password on the account with the
>>>>> passphrase on the ssh key.
>>>>>
>>>>> Also, each time you change the sshd configuration file you need to
>>>>> restart the sshd server for the change to "take":
>>>>>
>>>>>       systemctl restart sshd
>>>> I think OP is trying to do key based logins. (host based or priv/pub key
>>>> pair?)
>>> I am trying to only allow a key based login.
>>>
>>>
>>>> You can disable  'regular' password logins with
>>>> "|PasswordAuthentication no" I believe, BUT, that would only allow
>>>> logons from machines key based.|
>>> Which is what I want.  I do have "PasswordAuthentication no".  The
>>> documentation I have says that you also need "ChallengeResonpseAuthentication
>>> no".
>>>
>> probably not necessary to ask, but, did you restart sshd? (systemctl
>> restart sshd)  after the changes ?  and if so   what does systemctl
>> status sshd say?
>> bob1@Juptier:~$ systemctl status sshd
>     ssh.service - OpenBSD Secure Shell server
>       Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset:
> enabled)
>       Active: active (running) since Wed 2021-02-10 14:13:00 PST; 5h 33min ago



It doesn't look like you restarted the service in the last few hours, it
has been up  for over 5 hours


do a "systemctl restart sshd". as root or a "sudo systemctl restart
sshd" on the server, not the client


>         Docs: man:sshd(8)
>               man:sshd_config(5)
>      Process: 14029 ExecStartPre=/usr/sbin/sshd -t (code=exited,
> status=0/SUCCESS)
>     Main PID: 14030 (sshd)
>        Tasks: 1 (limit: 4514)
>       Memory: 2.3M
>       CGroup: /system.slice/ssh.service
>               └─14030 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
>
> Feb 10 14:13:00 Juptier systemd[1]: Starting OpenBSD Secure Shell server...
> Feb 10 14:13:00 Juptier sshd[14030]: Server listening on 0.0.0.0 port 22.
> Feb 10 14:13:00 Juptier sshd[14030]: Server listening on :: port 22.
> Feb 10 14:13:00 Juptier systemd[1]: Started OpenBSD Secure Shell server.
> Feb 10 14:19:01 Juptier sshd[14047]: Accepted publickey for bob1 from
> 192.168.60.182 port 57830 ssh2: RSA
> SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510
> Feb 10 14:19:01 Juptier sshd[14047]: pam_unix(sshd:session): session opened for
> user bob1 by (uid=0)
> Feb 10 14:36:10 Juptier sshd[14132]: Accepted password for bob1 from
> 192.168.60.182 port 52326 ssh2
> Feb 10 14:36:10 Juptier sshd[14132]: pam_unix(sshd:session): session opened for
> user bob1 by (uid=0)
> bob1@Juptier:~$
>  
>> also,  you can see debugging info with ssh -v [hidden email],  or -vv or
>> -vvv  to see what methods it is trying.
> I will try this.
>
> Not sure it  will be helpful.  I think the problem is SSH configuration and the
> information I have is most likely incorrect.
>
>
>>>> |(you can also make changes in the pam stack,  but I'd be hesitant to do
>>>> that)
>>>> |
>>>>
>>>> |If you'd go either route, I'd allow  root logins at the console, so
>>>> that when something gets messed up with the keys (and users (including
>>>> yourself) will mess up their keys), you'd still have a  reasonable way in.
>>>> |
>>>>
>>>>
>>>> R
>>>>
>>>>> Regards, K.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by Robert Heller
** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
2021 22:36:11 -0500 (EST)

> At Wed, 10 Feb 2021 19:10:49 -0800 "Ubuntu user technical support, not for
> general discussions" <[hidden email]> wrote:
>
> >
> > Content-Type: text/plain
> >
> > ** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
> > 2021 19:26:23 -0500 (EST)
> >
> > > At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for
> > > general discussions" <[hidden email]> wrote:
> > >
> > > >
> > > > Content-Type: text/plain
> > > >
> > > > I have set up SSH between two computers on my LAN and am trying to disable
> > > > password login.  SSH works between the computers.  I can login using
> > > > public/private keys.  What I have not been able to do is disable the password
> > > > login.
> > > >
> > >
> > > Check the IdentityFile setting in /etc/ssh/ssh_config
> > >
> > > You need to make sure it is set to:
> > >
> > >    IdentityFile ~/.ssh/id_rsa
> > >    
> > > I think Ubuntu sets it to:
> > >
> > >    IdentityFile ~/.ssh/id_ecdsa
> > >
> > > by default.
> >
> > Looking at /etc/ssh/ssh_config there is no IdentifyFile parameter, all are
> > commented out.  Which system does this need to be set, all of them or the
> > client or server?
> >
> > When I generated the keys I specified rsa.  I would think that would be enough
> > for everything to work.
>
> It needs to be set on the originating machine.  Do a "slogin -v" to see what
> it is doing.

robert@MARS:~$ slogin -v bob1@192.168.60.184
OpenSSH_8.3p1 Ubuntu-1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.60.184 [192.168.60.184] port 22.
debug1: Connection established.
debug1: identity file /home/robert/.ssh/id_rsa type 0
debug1: identity file /home/robert/.ssh/id_rsa-cert type -1
debug1: identity file /home/robert/.ssh/id_dsa type -1
debug1: identity file /home/robert/.ssh/id_dsa-cert type -1
debug1: identity file /home/robert/.ssh/id_ecdsa type -1
debug1: identity file /home/robert/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/robert/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/robert/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/robert/.ssh/id_ed25519 type -1
debug1: identity file /home/robert/.ssh/id_ed25519-cert type -1
debug1: identity file /home/robert/.ssh/id_ed25519_sk type -1
debug1: identity file /home/robert/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/robert/.ssh/id_xmss type -1
debug1: identity file /home/robert/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.3p1 Ubuntu-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3p1
Ubuntu-1
debug1: match: OpenSSH_8.3p1 Ubuntu-1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.60.184:22 as 'bob1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [hidden email] MAC:
<implicit> compression: none
debug1: kex: client->server cipher: [hidden email] MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:Pnc1Tfpvc6xBJ5yaVyqmTaYmTqjPRl3VAAo/XY57efw
debug1: Host '192.168.60.184' is known and matches the ECDSA host key.
debug1: Found key in /home/robert/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/robert/.ssh/id_rsa RSA
SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
debug1: Will attempt key: /home/robert/.ssh/id_dsa
debug1: Will attempt key: /home/robert/.ssh/id_ecdsa
debug1: Will attempt key: /home/robert/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/robert/.ssh/id_ed25519
debug1: Will attempt key: /home/robert/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/robert/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,[hidden email],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/robert/.ssh/id_rsa RSA
SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
debug1: Server accepts key: /home/robert/.ssh/id_rsa RSA
SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.60.184 ([192.168.60.184]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [hidden email]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [hidden email] want_reply 0
debug1: Remote: /home/bob1/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/bob1/.ssh/authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-43-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 updates can be installed immediately.
0 of these updates are security updates.

Last login: Wed Feb 10 14:36:10 2021 from 192.168.60.182
bob1@Juptier:~$


>  This should be enlightening.  It is possible that the compiled
> in default is something other than ~/.ssh/id_rsa and the -v option will tell
> you that.  If it is in fact something else, you need to include an
> IdentityFile setting like I showed above.  You might need to do it on the
> "other" machine if you ssh both ways.
>
> >
> >
> > > > The instructions I am using
> > > > <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
> > > > edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
> > > > "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
> > > > as I can still SSH to the computer and login to the computer using the
> > > > password.
> > > >
> > > > When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
> > > > removed the comment and changed "yes" to "no".
> > > > "ChallengeResponseAuthentication" was not on the config file so I added it.
> > > > What else do I need to do?
> > > >
> > >

--
Robert Blair


The inherent vice of capitalism is the unequal sharing of the blessings.  The inherent blessing of socialism is the equal sharing of misery.  -- Winston Churchill

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C

On 2/10/21 9:30 PM, Bob wrote:

> ** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
> 2021 22:36:11 -0500 (EST)
>
>> At Wed, 10 Feb 2021 19:10:49 -0800 "Ubuntu user technical support, not for
>> general discussions" <[hidden email]> wrote:
>>
>>> Content-Type: text/plain
>>>
>>> ** Reply to message from Robert Heller <[hidden email]> on Wed, 10 Feb
>>> 2021 19:26:23 -0500 (EST)
>>>
>>>> At Wed, 10 Feb 2021 15:49:35 -0800 "Ubuntu user technical support, not for
>>>> general discussions" <[hidden email]> wrote:
>>>>
>>>>> Content-Type: text/plain
>>>>>
>>>>> I have set up SSH between two computers on my LAN and am trying to disable
>>>>> password login.  SSH works between the computers.  I can login using
>>>>> public/private keys.  What I have not been able to do is disable the password
>>>>> login.
>>>>>
>>>> Check the IdentityFile setting in /etc/ssh/ssh_config
>>>>
>>>> You need to make sure it is set to:
>>>>
>>>>     IdentityFile ~/.ssh/id_rsa
>>>>    
>>>> I think Ubuntu sets it to:
>>>>
>>>>     IdentityFile ~/.ssh/id_ecdsa
>>>>
>>>> by default.
>>> Looking at /etc/ssh/ssh_config there is no IdentifyFile parameter, all are
>>> commented out.  Which system does this need to be set, all of them or the
>>> client or server?
>>>
>>> When I generated the keys I specified rsa.  I would think that would be enough
>>> for everything to work.
>> It needs to be set on the originating machine.  Do a "slogin -v" to see what
>> it is doing.
> robert@MARS:~$ slogin -v bob1@192.168.60.184
> OpenSSH_8.3p1 Ubuntu-1, OpenSSL 1.1.1f  31 Mar 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
> matched no files

that is fine, there is nothing there in a "default" setup


> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug1: Connecting to 192.168.60.184 [192.168.60.184] port 22.
> debug1: Connection established.
> debug1: identity file /home/robert/.ssh/id_rsa type 0
> debug1: identity file /home/robert/.ssh/id_rsa-cert type -1
> debug1: identity file /home/robert/.ssh/id_dsa type -1
> debug1: identity file /home/robert/.ssh/id_dsa-cert type -1
> debug1: identity file /home/robert/.ssh/id_ecdsa type -1
> debug1: identity file /home/robert/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/robert/.ssh/id_ecdsa_sk type -1
> debug1: identity file /home/robert/.ssh/id_ecdsa_sk-cert type -1
> debug1: identity file /home/robert/.ssh/id_ed25519 type -1
> debug1: identity file /home/robert/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/robert/.ssh/id_ed25519_sk type -1
> debug1: identity file /home/robert/.ssh/id_ed25519_sk-cert type -1
> debug1: identity file /home/robert/.ssh/id_xmss type -1
> debug1: identity file /home/robert/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.3p1 Ubuntu-1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3p1
> Ubuntu-1
> debug1: match: OpenSSH_8.3p1 Ubuntu-1 pat OpenSSH* compat 0x04000000
> debug1: Authenticating to 192.168.60.184:22 as 'bob1'
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: [hidden email] MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: [hidden email] MAC:
> <implicit> compression: none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:Pnc1Tfpvc6xBJ5yaVyqmTaYmTqjPRl3VAAo/XY57efw
> debug1: Host '192.168.60.184' is known and matches the ECDSA host key.
> debug1: Found key in /home/robert/.ssh/known_hosts:1
this means it knows the host you are connecting to.

> debug1: rekey out after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: rekey in after 134217728 blocks
> debug1: Will attempt key: /home/robert/.ssh/id_rsa RSA
> SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
> debug1: Will attempt key: /home/robert/.ssh/id_dsa
> debug1: Will attempt key: /home/robert/.ssh/id_ecdsa
> debug1: Will attempt key: /home/robert/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /home/robert/.ssh/id_ed25519
> debug1: Will attempt key: /home/robert/.ssh/id_ed25519_sk
> debug1: Will attempt key: /home/robert/.ssh/id_xmss
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,[hidden email],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email]>
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/robert/.ssh/id_rsa RSA
> SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
> debug1: Server accepts key: /home/robert/.ssh/id_rsa RSA
> SHA256:2vjQjFca63GJ3xu9FMPbqOmpR5yb+VEImHWexHfg510 agent
> debug1: Authentication succeeded (publickey).

This means that the server accepted your id_rsa key, and that it has
the  public key from the pair and  authetication succeeded, you're "in" now.

> Authenticated to 192.168.60.184 ([192.168.60.184]:22).
> debug1: channel 0: new [client-session]
> debug1: Requesting [hidden email]
> debug1: Entering interactive session.
here it says you're 'in'

> debug1: pledge: network
> debug1: client_input_global_request: rtype [hidden email] want_reply 0
> debug1: Remote: /home/bob1/.ssh/authorized_keys:1: key options:
> agent-forwarding port-forwarding pty user-rc x11-forwarding
> debug1: Remote: /home/bob1/.ssh/authorized_keys:1: key options:
> agent-forwarding port-forwarding pty user-rc x11-forwarding
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-43-generic x86_64)
>
>   * Documentation:  https://help.ubuntu.com
>   * Management:     https://landscape.canonical.com
>   * Support:        https://ubuntu.com/advantage
>
> 0 updates can be installed immediately.
> 0 of these updates are security updates.
>
> Last login: Wed Feb 10 14:36:10 2021 from 192.168.60.182
> bob1@Juptier:~$


and there you are.


so your key pair is working.

>
>
>>   This should be enlightening.  It is possible that the compiled
>> in default is something other than ~/.ssh/id_rsa and the -v option will tell
>> you that.  If it is in fact something else, you need to include an
>> IdentityFile setting like I showed above.  You might need to do it on the
>> "other" machine if you ssh both ways.
>>
>>>
>>>>> The instructions I am using
>>>>> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
>>>>> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
>>>>> "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
>>>>> as I can still SSH to the computer and login to the computer using the
>>>>> password.
>>>>>
>>>>> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
>>>>> removed the comment and changed "yes" to "no".
>>>>> "ChallengeResponseAuthentication" was not on the config file so I added it.
>>>>> What else do I need to do?
>>>>>

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Bob
In reply to this post by Bob
** Reply to message from "Bob" <[hidden email]> on Wed, 10 Feb
2021 15:49:35 -0800

> I have set up SSH between two computers on my LAN and am trying to disable
> password login.  SSH works between the computers.  I can login using
> public/private keys.  What I have not been able to do is disable the password
> login.
>
> The instructions I am using
> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
> "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
> as I can still SSH to the computer and login to the computer using the
> password.
>
> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
> removed the comment and changed "yes" to "no".
> "ChallengeResponseAuthentication" was not on the config file so I added it.
> What else do I need to do?

I think this has gotten off on a tangent.

What I want is to prevent someone logging in the the computer using a password.

I only want to allow a login using an rsa key.

--
Robert Blair


A government big enough to give you everything you want, is strong enough to take everything you have.  -- Thomas Jefferson

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C

On 2/10/21 10:18 PM, Bob wrote:

> ** Reply to message from "Bob" <[hidden email]> on Wed, 10 Feb
> 2021 15:49:35 -0800
>
>> I have set up SSH between two computers on my LAN and am trying to disable
>> password login.  SSH works between the computers.  I can login using
>> public/private keys.  What I have not been able to do is disable the password
>> login.
>>
>> The instructions I am using
>> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login> says to
>> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from "yes" to
>> "no" and change "ChallengeResponseAuthentication" to "no".  That did not work
>> as I can still SSH to the computer and login to the computer using the
>> password.
>>
>> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is commented out so I
>> removed the comment and changed "yes" to "no".
>> "ChallengeResponseAuthentication" was not on the config file so I added it.
>> What else do I need to do?
> I think this has gotten off on a tangent.
>
> What I want is to prevent someone logging in the the computer using a password.
>
> I only want to allow a login using an rsa key.
>
Well just set the password to a ridiculously long random password, that
no one will ever be able to guess, not a 100% guarantee, but probably
close enough.




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
R C
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

R C

On 2/10/21 10:38 PM, R C wrote:

>
> On 2/10/21 10:18 PM, Bob wrote:
>> ** Reply to message from "Bob" <[hidden email]> on
>> Wed, 10 Feb
>> 2021 15:49:35 -0800
>>
>>> I have set up SSH between two computers on my LAN and am trying to
>>> disable
>>> password login.  SSH works between the computers.  I can login using
>>> public/private keys.  What I have not been able to do is disable the
>>> password
>>> login.
>>>
>>> The instructions I am using
>>> <https://www.linuxbabe.com/linux-server/setup-passwordless-ssh-login>
>>> says to
>>> edit /etc/ssh/sshd_config and change "PasswordAuthentication" from
>>> "yes" to
>>> "no" and change "ChallengeResponseAuthentication" to "no". That did
>>> not work
>>> as I can still SSH to the computer and login to the computer using the
>>> password.
>>>
>>> When I edit /etc/ssh/sshd_config "PasswordAuthentication" is
>>> commented out so I
>>> removed the comment and changed "yes" to "no".
>>> "ChallengeResponseAuthentication" was not on the config file so I
>>> added it.
>>> What else do I need to do?
>> I think this has gotten off on a tangent.
>>
>> What I want is to prevent someone logging in the the computer using a
>> password.
>>
>> I only want to allow a login using an rsa key.
>>
> Well just set the password to a ridiculously long random password,
> that no one will ever be able to guess, not a 100% guarantee, but
> probably close enough.


I believe, not sure you can  tell sshd not to use pam,  this is what I
found in sshd_config:

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and
may cause several
# problems.
UsePAM yes


that way it will probably only use the ssh key exchange   BUT   I bet
you cannot use a root login on the console anymore either.




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Passwordless SSH login

Karl Auer
In reply to this post by Bob
On Wed, 2021-02-10 at 21:18 -0800, Bob wrote:
> I think this has gotten off on a tangent.
>
> What I want is to prevent someone logging in the the computer using a
> password.
>
> I only want to allow a login using an rsa key.

To you mean allow an ssh login only with a public key, or allow ANY
login only with a key?

The latter is a whole 'nother thing.

If you are only talking about ssh logins, then on the system you are
connecting TO:
- turn off PasswordAuthentication in the sshd config
- turn off ChallengeResponseAuthentication in the sshd config
- restart sshd
- done

If doing those things does not work then:
- you did not do them correctly
- you did not do them at all
- you did them on the wrong server

You will know when it works because "ssh random@server" will say
"Access denied (publickey)" or it will just disconnect, but it will not
request a password.

Note that if you use your own account for the test and your key has a
passphrase you WILL still be asked for the passphrase. If it has not
worked you will get "random@server's password:".

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
12