where to upload public ssh key

04/09/2007, 05h11

I am setting up a server with svn+ssh. I am a little confused to
where, or how to configure where, openssh will look for the public
keys. This also means that I don't know where to upload the public
keys.

Any would be appreciated.

Thanks

04/09/2007, 10h09

On 2007-09-04, chris <olsen.chris@gmail.com> wrote:

> I am setting up a server with svn+ssh. I am a little confused to
> where, or how to configure where, openssh will look for the public
> keys. This also means that I don't know where to upload the public
> keys.

Just like using ssh outside of svn - that is if it's OpenSSH
public keys go in ~/.ssh/authorized_keys on the server.

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/

04/09/2007, 11h30

>>>>> "chris" == chris <olsen.chris@gmail.com> writes:

chris> I am setting up a server with svn+ssh. I am a little confused
chris> to where, or how to configure where, openssh will look for the
chris> public keys. This also means that I don't know where to upload
chris> the public keys.

chris> Any would be appreciated.

chris> Thanks

http://www.snailbook.com/faq/publick...auth.auto.html

--
Richard Silverman
res@qoxp.net

04/09/2007, 17h57

It is the $HOME dir (~/.ssh/...) that is causing the confusion. Who's
home dir is this? Do I have to create a user on the server for each
of the developers (although it is really just me) who want to upload
their public key? I was under the impression that I would just append
the public key to the authorized_keys file. I figured this file would
be in some, non-personal folder, location.

Thanks for the .

04/09/2007, 18h19

I have created the .ssh folder on the server in home/my_name/ and have
created a nice long passphrase. I am able to login using the
passphrase, but I am still able to login with the account password. I
can not imagine this is good thing seeing as the normal account
password is much much shorter than the passphrase.

I would think that I am missing something here, but none of the books
that I have skimmed through mention anything about this.

Here is the console output when logging in with the normal username
and password
~ chrisolsen $ ssh chrisolsen@my_domain.com
Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa':
Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa':
Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa':
chrisolsen@my_domain.com's password:
Linux ubuntu-test-server 2.6.15-26-server #1 SMP Fri Sep 8 21:00:37
UTC 2006 i686 GNU/Linux

04/09/2007, 19h19

chris <olsen.chris@gmail.com> wrote:
> It is the $HOME dir (~/.ssh/...) that is causing the confusion. Who's
> home dir is this?

The home directory for the user that you're logging in as.

> Do I have to create a user on the server for each
> of the developers (although it is really just me) who want to upload
> their public key? I was under the impression that I would just append
> the public key to the authorized_keys file. I figured this file would
> be in some, non-personal folder, location.

No. If you intend to log in as a particular user, then presumably you
already have a home directory? Are you using the machine in a different
way?

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

04/09/2007, 19h22

chris <olsen.chris@gmail.com> wrote:
> I have created the .ssh folder on the server in home/my_name/ and have
> created a nice long passphrase. I am able to login using the
> passphrase, but I am still able to login with the account password. I
> can not imagine this is good thing seeing as the normal account
> password is much much shorter than the passphrase.
>
> I would think that I am missing something here, but none of the books
> that I have skimmed through mention anything about this.

You can set the valid authentication mechanisms in the server's
configuration file (sshd_config). The default has both password and
private key authentication enabled, but you can disable them.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

04/09/2007, 19h59

> No. If you intend to log in as a particular user, then presumably you
> already have a home directory? Are you using the machine in a different
> way?

I didn't realize it worked that way. So for a developer on
SourceForge I take it that they then have an *nix account created for
them. I figured all developers would just have their public key added
to the authorized_keys file.

> You can set the valid authentication mechanisms in the server's
> configuration file (sshd_config). The default has both password and
> private key authentication enabled, but you can disable them.

I feel dumb for asking this, but what is the reason for the public and
private keys if you can login with your normal username/password? Is
there an additional level of encryption added to the data that is
transferred to and from the server when you login with your
passphrase? What throws me is that in what I read it was stressed
that the passphrase be fairly complex yet it is sent to the server.

I am just trying to setup an svn and was trying to read just enough to
get me that far, but it seems like "once in and never out". I might
have to dig a little further to make the details make sense that were
supposed to make the initial questions make sense.

Thanks for the

04/09/2007, 20h33

chris <olsen.chris@gmail.com> wrote:
> I feel dumb for asking this, but what is the reason for the public and
> private keys if you can login with your normal username/password?

1) easy to set up, most folks still use passwords, so disabling them in
the default would confuse a lot of people
2) who says you have a valid password? Quite a few setups use private
keys, then give the account an invalid password, so login through
that mechanism is impossible.

Sounds like you want to retain a valid password on the account, but stop
SSH from using it. That's possible, just not the default.

> Is
> there an additional level of encryption added to the data that is
> transferred to and from the server when you login with your
> passphrase?

No. (but which encryption are you referring to?)

You can do some more complex things with key authorization (like limit
functionality and commands), but the data stream encryption is
negotiated the same way with both.

> What throws me is that in what I read it was stressed
> that the passphrase be fairly complex yet it is sent to the server.

Passphrases and private keys are never sent to the server.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

04/09/2007, 20h40

chris <olsen.chris@gmail.com> wrote:
>> No. If you intend to log in as a particular user, then presumably you
>> already have a home directory? Are you using the machine in a different
>> way?
>
> I didn't realize it worked that way. So for a developer on
> SourceForge I take it that they then have an *nix account created for
> them. I figured all developers would just have their public key added
> to the authorized_keys file.

You can do that, but then they would all be allowed to authenticate as
the same user. Usually you want to force them to authenticate as
different users.

The sshd forks a copy for the login user and tries to find a key that
will authenticate. Unless you give it some way to find different data
for different users, they'll all behave the same. You can override
where it looks for the authorized_keys file in the sshd_config file.

AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. AuthorizedKeysFile may contain tokens
of the form %T which are substituted during connection setup.
The following tokens are defined: %% is replaced by a literal
'%', %h is replaced by the home directory of the user being au-
thenticated, and %u is replaced by the username of that user.
After expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. The default
is ``.ssh/authorized_keys''.

I don't know what would happen if you give it a single global file. I
imagine that means that any user with a valid key will be permitted to
log in as any valid user on the system...

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

04/09/2007, 21h11

>> What throws me is that in what I read it was stressed
>> that the passphrase be fairly complex yet it is sent to the server.

>Passphrases and private keys are never sent to the server.

So when logging in and I have to enter my passphrase, is that only to
access the private key on my side and perform the encryption? That
would make more sense.

05/09/2007, 00h09

chris <olsen.chris@gmail.com> wrote:
>>> What throws me is that in what I read it was stressed
>>> that the passphrase be fairly complex yet it is sent to the server.
>
>>Passphrases and private keys are never sent to the server.
>
> So when logging in and I have to enter my passphrase, is that only to
> access the private key on my side and perform the encryption? That
> would make more sense.

Right. The passphrase is to keep the private key from being stored on
the disk in cleartext. The passphrase allows the ssh client to read the
key, which is then used to encrypt a message that the server can decrypt
with the public key, authenticating you.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

05/09/2007, 12h23

On Sep 4, 5:11 am, chris <olsen.ch...@gmail.com> wrote:
> I am setting up a server with svn+ssh. I am a little confused to
> where, or how to configure where, openssh will look for the public
> keys. This also means that I don't know where to upload the public
> keys.
>
> Any would be appreciated.
>
> Thanks

It should you.
http://www.securityfocus.com/infocus/1806

Generally you should download your public key to $HOME/.ssh/
authorized_keys
Check first that there is this file
If no - just create it and copy your public key there: cat
my_public_key > $HOME/.ssh/authorized_keys && chmod 600 $HOME/.ssh/
authorized_keys

if yes - just add you public key: cat my_public_key >> $HOME/.ssh/
authorized_keys

Make sure that global configuration allows you to use auth via keys.

Marcin Praczko

04/09/2007, 10h09	#2
all mail refused Messages: n/a Hébergeur:	Re: where to upload public ssh key On 2007-09-04, chris <olsen.chris@gmail.com> wrote: > I am setting up a server with svn+ssh. I am a little confused to > where, or how to configure where, openssh will look for the public > keys. This also means that I don't know where to upload the public > keys. Just like using ssh outside of svn - that is if it's OpenSSH public keys go in ~/.ssh/authorized_keys on the server. -- Elvis Notargiacomo master AT barefaced DOT cheek http://www.notatla.org.uk/goen/

04/09/2007, 11h30	#3
Richard E. Silverman Messages: n/a Hébergeur:	Re: where to upload public ssh key >>>>> "chris" == chris <olsen.chris@gmail.com> writes: chris> I am setting up a server with svn+ssh. I am a little confused chris> to where, or how to configure where, openssh will look for the chris> public keys. This also means that I don't know where to upload chris> the public keys. chris> Any would be appreciated. chris> Thanks http://www.snailbook.com/faq/publick...auth.auto.html -- Richard Silverman res@qoxp.net

04/09/2007, 17h57	#4
chris Messages: n/a Hébergeur:	Re: where to upload public ssh key It is the $HOME dir (~/.ssh/...) that is causing the confusion. Who's home dir is this? Do I have to create a user on the server for each of the developers (although it is really just me) who want to upload their public key? I was under the impression that I would just append the public key to the authorized_keys file. I figured this file would be in some, non-personal folder, location. Thanks for the .

04/09/2007, 18h19	#5
chris Messages: n/a Hébergeur:	Re: where to upload public ssh key I have created the .ssh folder on the server in home/my_name/ and have created a nice long passphrase. I am able to login using the passphrase, but I am still able to login with the account password. I can not imagine this is good thing seeing as the normal account password is much much shorter than the passphrase. I would think that I am missing something here, but none of the books that I have skimmed through mention anything about this. Here is the console output when logging in with the normal username and password ~ chrisolsen $ ssh chrisolsen@my_domain.com Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa': Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa': Enter passphrase for key '/Users/chrisolsen/.ssh/id_dsa': chrisolsen@my_domain.com's password: Linux ubuntu-test-server 2.6.15-26-server #1 SMP Fri Sep 8 21:00:37 UTC 2006 i686 GNU/Linux

04/09/2007, 19h19	#6
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: > It is the $HOME dir (~/.ssh/...) that is causing the confusion. Who's > home dir is this? The home directory for the user that you're logging in as. > Do I have to create a user on the server for each > of the developers (although it is really just me) who want to upload > their public key? I was under the impression that I would just append > the public key to the authorized_keys file. I figured this file would > be in some, non-personal folder, location. No. If you intend to log in as a particular user, then presumably you already have a home directory? Are you using the machine in a different way? -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

04/09/2007, 05h11	#1
chris Messages: n/a Hébergeur:	where to upload public ssh key I am setting up a server with svn+ssh. I am a little confused to where, or how to configure where, openssh will look for the public keys. This also means that I don't know where to upload the public keys. Any would be appreciated. Thanks

04/09/2007, 19h22	#7
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: > I have created the .ssh folder on the server in home/my_name/ and have > created a nice long passphrase. I am able to login using the > passphrase, but I am still able to login with the account password. I > can not imagine this is good thing seeing as the normal account > password is much much shorter than the passphrase. > > I would think that I am missing something here, but none of the books > that I have skimmed through mention anything about this. You can set the valid authentication mechanisms in the server's configuration file (sshd_config). The default has both password and private key authentication enabled, but you can disable them. -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

04/09/2007, 19h59	#8
chris Messages: n/a Hébergeur:	Re: where to upload public ssh key > No. If you intend to log in as a particular user, then presumably you > already have a home directory? Are you using the machine in a different > way? I didn't realize it worked that way. So for a developer on SourceForge I take it that they then have an *nix account created for them. I figured all developers would just have their public key added to the authorized_keys file. > You can set the valid authentication mechanisms in the server's > configuration file (sshd_config). The default has both password and > private key authentication enabled, but you can disable them. I feel dumb for asking this, but what is the reason for the public and private keys if you can login with your normal username/password? Is there an additional level of encryption added to the data that is transferred to and from the server when you login with your passphrase? What throws me is that in what I read it was stressed that the passphrase be fairly complex yet it is sent to the server. I am just trying to setup an svn and was trying to read just enough to get me that far, but it seems like "once in and never out". I might have to dig a little further to make the details make sense that were supposed to make the initial questions make sense. Thanks for the

04/09/2007, 20h33	#9
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: > I feel dumb for asking this, but what is the reason for the public and > private keys if you can login with your normal username/password? 1) easy to set up, most folks still use passwords, so disabling them in the default would confuse a lot of people 2) who says you have a valid password? Quite a few setups use private keys, then give the account an invalid password, so login through that mechanism is impossible. Sounds like you want to retain a valid password on the account, but stop SSH from using it. That's possible, just not the default. > Is > there an additional level of encryption added to the data that is > transferred to and from the server when you login with your > passphrase? No. (but which encryption are you referring to?) You can do some more complex things with key authorization (like limit functionality and commands), but the data stream encryption is negotiated the same way with both. > What throws me is that in what I read it was stressed > that the passphrase be fairly complex yet it is sent to the server. Passphrases and private keys are never sent to the server. -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

04/09/2007, 20h40	#10
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: >> No. If you intend to log in as a particular user, then presumably you >> already have a home directory? Are you using the machine in a different >> way? > > I didn't realize it worked that way. So for a developer on > SourceForge I take it that they then have an *nix account created for > them. I figured all developers would just have their public key added > to the authorized_keys file. You can do that, but then they would all be allowed to authenticate as the same user. Usually you want to force them to authenticate as different users. The sshd forks a copy for the login user and tries to find a key that will authenticate. Unless you give it some way to find different data for different users, they'll all behave the same. You can override where it looks for the authorized_keys file in the sshd_config file. AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being au- thenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. The default is ``.ssh/authorized_keys''. I don't know what would happen if you give it a single global file. I imagine that means that any user with a valid key will be permitted to log in as any valid user on the system... -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

04/09/2007, 21h11	#11
chris Messages: n/a Hébergeur:	Re: where to upload public ssh key >> What throws me is that in what I read it was stressed >> that the passphrase be fairly complex yet it is sent to the server. >Passphrases and private keys are never sent to the server. So when logging in and I have to enter my passphrase, is that only to access the private key on my side and perform the encryption? That would make more sense.

05/09/2007, 00h09	#12
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: >>> What throws me is that in what I read it was stressed >>> that the passphrase be fairly complex yet it is sent to the server. > >>Passphrases and private keys are never sent to the server. > > So when logging in and I have to enter my passphrase, is that only to > access the private key on my side and perform the encryption? That > would make more sense. Right. The passphrase is to keep the private key from being stored on the disk in cleartext. The passphrase allows the ssh client to read the key, which is then used to encrypt a message that the server can decrypt with the public key, authenticating you. -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >

05/09/2007, 12h23	#13
marcin.praczko@googlemail.com Messages: n/a Hébergeur:	Re: where to upload public ssh key On Sep 4, 5:11 am, chris <olsen.ch...@gmail.com> wrote: > I am setting up a server with svn+ssh. I am a little confused to > where, or how to configure where, openssh will look for the public > keys. This also means that I don't know where to upload the public > keys. > > Any would be appreciated. > > Thanks It should you. http://www.securityfocus.com/infocus/1806 Generally you should download your public key to $HOME/.ssh/ authorized_keys Check first that there is this file If no - just create it and copy your public key there: cat my_public_key > $HOME/.ssh/authorized_keys && chmod 600 $HOME/.ssh/ authorized_keys if yes - just add you public key: cat my_public_key >> $HOME/.ssh/ authorized_keys Make sure that global configuration allows you to use auth via keys. Marcin Praczko

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email