Can't get ssh working with a key pair. Could somebody help me please?

[eddie3000]

I've been trying for a week nearly and can't get this working. I got it working in the past, but I've had to reinstall everything and I can't get it to work again.

I have to laptops, A and B with users userA and userB. Laptop A runs linux mint cinnamon 18.1 and B runs linux mint xfce 17.1. I want to access laptop B from A via ssh using a key pair and no password. I am going to go write everything I have done so anyone can spot anything I have done wrong.


1- Install openssh-server on laptop B.

Code: Select all

sudo apt-get install openssh-server

2- Edit config file.

Code: Select all

sudo gedit /etc/ssh/sshd_config

Here's my file:

Code: Select all

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 4444
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 2048

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

3 - Configure ufw to default deny and allow port 4444.

Code: Select all

sudo ufw enable
sudo ufw default deny
sudo allow in to any port 4444

4- On laptop A I generate the key pair without a passphrase. I have tried both with putty and ssh-keygen. Neither work.

Code: Select all

ssh-keygen

5- I then copy the .pub file onto a usb flash memory and take it to laptop B.

Code: Select all

sudo cp /media/usbmemory/file.pub /home/userB/.ssh/authorized_keys
sudo chmod 755 /home/userB/.ssh
sudo chmod 600 /home/userB/.ssh/authorized_keys

6- Reboot laptop B.

7- Laptop A has it's key in it's home folder, exactly where ssh-keygen put it in the first place. I try connecting via ssh using reminna, or putty, or "connect to server" in the file manager and they all fail.

8-Here is a fragment of /var/log/auth.log from laptop B. It clearly says "invalid userA". Is that the problem?

Code: Select all

May 12 09:01:04 userB systemd-logind[512]: New seat seat0.
May 12 09:01:12 userB sshd[1179]: Server listening on 0.0.0.0 port 4444.
May 12 09:01:12 userB sshd[1179]: Server listening on :: port 4444.
May 12 09:01:15 userB mdm[1434]: pam_unix(mdm-autologin:session): session opened for user userB by (uid=0)
May 12 09:01:15 userB systemd-logind[512]: New session c1 of user userB.
May 12 09:01:15 userB systemd-logind[512]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display.
May 12 09:01:15 userB mdm[1434]: pam_ck_connector(mdm-autologin:session): nox11 mode, ignoring PAM_TTY :0
May 12 09:01:24 userB polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.30 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 12 09:03:08 userB sshd[2241]: Invalid user userA from 192.168.1.33
May 12 09:03:08 userB sshd[2241]: input_userauth_request: invalid user userA [preauth]
May 12 09:03:08 userB sshd[2241]: Connection closed by 192.168.1.33 [preauth]
May 12 09:03:10 userB sshd[2243]: Invalid user userA from 192.168.1.33
May 12 09:03:10 userB sshd[2243]: input_userauth_request: invalid user userA [preauth]
May 12 09:03:10 userB sshd[2243]: Connection closed by 192.168.1.33 [preauth]

What am I doing wrong?
Thank you.

[eddie3000]

Ahh! I forgot to mention that if I enable password authentication in /etc/ssh/sshd_config it does work, but I do not want that. I do not want to enter user and password in this particular case.

Code: Select all

PasswordAuthentication yes

[eddie3000]

Nobody?

[Habitual]

Hello:

https://help.ubuntu.com/community/Stric ... H_Settings

it is good form to cite any references you've read or followed when asking for help.
Otherwise, we end up using this
Nine times out of 10, I find most things at https://help.ubuntu.com

Code: Select all

PasswordAuthentication yes

Backwards.

Here's a tip.
Know what defaults are and Stop editing.
If or when those stop working, then it's time to up the game.
If they never worked and you beat up on port4444 and turn ON Password prompts.
Just stop.

Code: Select all

ssh-keygen -f ~/.ssh/toasterA -t rsa -N '' -b 4096 -q -C "toasterA key made on $(date +%F)

and copy contents of ~/.ssh/toasterA.pub to any/all intended remote hosts in the expected place(s),
use

Code: Select all

ssh -i  ~/.ssh/toasterA user@remote

This key making routine only need be done once, for any host.

Correct Permissions on both client AND server
stat --printf "%a %n \n" .ssh .ssh/authorized_keys* on either toasterA or toasterB.

Code: Select all

700 .ssh 
600 .ssh/authorized_keys 

Think that covers it.

[eddie3000]

Hello again.

This is the main guide I used for setting things up.

http://mark-bishop.net/whitehat.php?page=remote

Whenever I use putty I get the message "Unable to use key file "/home/user/user" (OpenSSH SSH-2 private key)". It then asks me to enter user and password and it works.

If I use remmina, I get "SSH automatic public key authentication failed: Access denied. Authentication that can continue: publickey,password". If I configure the connection to enter user and password, it works.

The is something wrong with my key pair. I don't know what it is. I've tried Habitual's suggestion, but it didn't work either. Thanks anyhow.

Any other ideas?

Thank you.

[eddie3000]

I have tried the default sshd_config file and the behaviour is the same. Not working. Any ideas?
Could the key pair have some sort of format incompatibility?
If I end up having to use password login, is that secure? How secure are the passwords stored on one's linux mint computer?