From owner-freebsd-questions@FreeBSD.ORG Fri Jan 20 12:28:13 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51DCE16A41F for ; Fri, 20 Jan 2006 12:28:13 +0000 (GMT) (envelope-from akbeech@gmail.com) Received: from pinnacle.akherb.com (94-37-237-24.gci.net [24.237.37.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E74743D45 for ; Fri, 20 Jan 2006 12:28:11 +0000 (GMT) (envelope-from akbeech@gmail.com) Received: by pinnacle.akherb.com (Postfix, from userid 1007) id 936DD608C; Fri, 20 Jan 2006 03:28:11 -0900 (AKST) X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on pinnacle.akherb.com X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.1.0 Received: from [192.168.241.108] (237-206-237-24.gci.net [24.237.206.237]) by pinnacle.akherb.com (Postfix) with ESMTP id 516955DAB; Fri, 20 Jan 2006 03:28:10 -0900 (AKST) From: Beech Rintoul Organization: NorthWind Communications To: Matthew Seaman Date: Fri, 20 Jan 2006 03:27:54 -0900 User-Agent: KMail/1.9.1 References: <20060120030543.92943.qmail@web60018.mail.yahoo.com> <43D097FD.6050401@infracaninophile.co.uk> In-Reply-To: <43D097FD.6050401@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1627095.JQZACYY9Bj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200601200328.08133.akbeech@gmail.com> Cc: Peter , freebsd-questions@freebsd.org Subject: Re: sshd question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2006 12:28:13 -0000 --nextPart1627095.JQZACYY9Bj Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 19 January 2006 22:57, Matthew Seaman wrote: > Peter wrote: > > --- Beech Rintoul wrote: > >> I'm trying to set up ssh to use keys to authenticate on a remote serve= r. > >> I've > >> always used passwords in the past. I generated a key pair and exported > >> my > >> public key to ~/.ssh/authorized_keys on the remote machine. I changed > >> sshd_config to "PasswordAuthentication no". when I login the remote > >> machine > >> still asks for a password. What do I change to just use the key to log > >> in? > > > > I'm assuming you do not want to enter anything to log in right? If so, > > you need a private key with a blank passphrase. It's hard to say from > > here but it may be that you are being prompted for the passphrase to > > unlock your private key. > > No, no, no. ssh keys with out pass-phrases are a liability. It really is > a bad idea to do that. > > What the OP should do instead is use ssh-agent -- I fire it up from > .xsession when I log into my desktop. Then load your key into the agent: > > ssh-add ~/.ssh/id_dsa > > which will require you to give the pass phrase. However, that's the one > and only time you'll need to do that. > > Then when you ssh into a box, it should auth against your key > automatically. If you take care to always use the '-A' flag when you ssh > in: > > ssh -A hostname > > then you can bounce through several machines, and the auth requests will = be > relayed back to the ssh-agent on your desktop.[*] > > Cheers, > > Matthew > > [*] Agent forwarding is off by default in /etc/ssh/ssh_config (client sid= e) > but permitted in /etc/ssh/sshd_config (server side) -- but the -A flag > overrides the client settings. Thanks, my original problem was solved by just starting over with a new key= =20 pair. Must of had a bad key. I ran debug on the server and it said it=20 couldn't read it even though it was there. I'll try the agent today. It'll= =20 require adding a pass-phrase to the key, but that's no problem now that I=20 know all the configs are good. I really don't mind the final default to a=20 password. I just hate to type it all the time. I'm using a long very crypti= c=20 pass and it gets tedious to have to enter it several times. Thanks everyone for the help and suggestions, Beech =2D-=20 =2D------------------------------------------------------------------------= =2D------------- Beech Rintoul - System Administrator - akbeech@gmail.com /"\ ASCII Ribbon Campaign | NorthWind Communications \ / - NO HTML/RTF in e-mail | 201 East 9Th Avenue Ste.310 X - NO Word docs in e-mail | Anchorage, AK 99501 / \ - Please visit Alaska Paradise - http://akparadise.byethost33.com =2D------------------------------------------------------------------------= =2D------------- --nextPart1627095.JQZACYY9Bj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBD0NdXVq19LUoGB+MRAq7TAJ9IWMDys8K41l0IeaHnkT6OzhooqwCghVcp WBqLzL/xtXAUUY4eEY8ofhI= =Jwrc -----END PGP SIGNATURE----- --nextPart1627095.JQZACYY9Bj--