SSH key problems
Earlier today I decided it would be a good idea to change the keys I log into SSH with. It turns out it wasn't a great idea after all.
I used ssh-keygen and generated these keys:
sshhostrsa_key
sshhostdsa_key
Then just to make things interesting I forgot the password(s) I entered. I got 2 tries and then DenyHosts cut me off for good.
Now, after fiddling around I can now login to my node through LISH but not through my SSH client. When I try, it just disconnects me.
Here's what I have tried so far:
Delete everything in /etc/hosts.deny
> echo > /etc/hosts.deny
Check IPtables to see if I'm listed in there.
> iptables -L -n
> Nothing's in there (at all).Hmm.. Let's delete all the keys and start over.
> rm /etc/ssh/ssh_host*Now generate some new keys (remember them this time)! Then save them to /etc/ssh/
> ssh-keygen -t rsa
ssh-keygen -t dsa Try using my SSH client to login.. Nope! Disconnected right away.
Let's take a look at my auth.log
> May 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/sshhostkeyMay 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/sshhostrsa_key
May 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/sshhostdsa_key
I'm so lost I don't know where to go from here. Can anybody help? Am I missing a step somewhere?
Thanks
9 Replies
@A32:
Hi. I'm hoping someone might be able to shed some light on my situation.
Earlier today I decided it would be a good idea to change the keys I log into SSH with. It turns out it wasn't a great idea after all.
I used ssh-keygen and generated these keys:
sshhostrsa_key
sshhostdsa_key
Well, the second round of Debian ssh updates automatically regenerated the host keys, so you didn't need to delete it at all. The simplest way to get them back, assuming you haven't otherwise altered the sshd configuration, is to 'sudo dpkg –force-depends -P openssh-server ; sudo apt-get install openssh-server' - from lish. Obviously won't be able to login over ssh while doing that, etc, etc.
@A32:
Now, after fiddling around I can now login to my node through LISH but not through my SSH client. When I try, it just disconnects me.
denyhosts doesn't use iptables (by default). If you have a static IP that you want to prevent being blocked by denyhosts, pop it in /var/lib/denyhosts/allowed-hosts. I suspect the above plus this will let you login again.
Try:
ssh-keygen -t rsa1 -f ssh_host_key -C '' -N ''
ssh-keygen -t rsa -f ssh_host_rsa_key -C '' -N ''
ssh-keygen -t dsa -f ssh_host_dsa_key -C '' -N ''
chmod 600 ssh_host*key
chmod 644 ssh_host*key.pub
The -C and -N options ensure no passwords or comments. There should NOT be a password on the host key otherwise sshd can't load them at boot time.
Now restart sshd on the server.
This won't solve the denyhosts option, but should get sshd running properly!
However, I think I'm missing some knowledge at a very basic level.
I use Putty from Windows.
I used puttygen to generate a new public and private key.
I added the public key to the home/.ssh/authorized_keys2 file.
I changed the private key file in Putty to the one I just generated with puttygen.
Now after all your guys' suggestions and changing these things above, everything is back to normal (with a different password).
My (stupid) question is: How do the puttygen generated files and the ssh-keygen files relate to each other?
Is the puttygen key only for authentication and the ssh-keygen key for encrypting data communications between client/server?
Thanks again
"puttygen" is merely the putty specific version of ssh-keygen.
Now SSH does two things for you; 1) encrypt traffic, 2) provide key based authentication. When you stick a public key into $HOME/.ssh/authorizedkeys (authorizedkeys2 is deprecated; don't use it any more) you are telling ssh that you'll allow key based authentication, rather than password authentication. But whether you use keys or passwords, ssh can still provide "on the wire" encryption.
So I can use ssh-keygen to generate a public and private key, add the public key to authorized_keys, download that private key to my computer, tell putty to use that private key.
-OR-
use puttygen to generate public and private keys, add the public key to authorized_keys, tell putty to use the private key puttygen generated. Right?
–------------
I've done both and I think this was the catalyst to the problems I had. I used ssh-keygen with a password. As you say you can't do that because then the key can't be opened. But generating the key through puttygen doesn't seem to have that "caveat".
Again thanks for all the help!
User keys can have a password.
Things open to the public can't have passwords or that makes them sort of useless.
@jacko:
HOST keys are public keys.
Not quite. Like everything using this technology, there's a private key and a public key and these two are related mathematically. So you'll see /etc/sshhostkey and /etc/sshkeykey.pub. The "pub" version is the public key, the other one is the private key. Unlike normal user private keys, however, this private key should NOT have a password on it, otherwise the ssh daemon process can not load it up at boot time, and ssh will fail to run.