0

I'm an average admin supporting my own systems, not getting paid to be a professional. I've setup many systems for SSH with passwords and with private keys. This one is weird. I don't necessarily want to diagnose the issue here. I need help to know what I should be looking at to diagnose it myself for now and next time. I've read a lot of "how to implement pubkey / private key auth" blogs and wikis. I need more specific details that apply to Ubuntu 20.04+. I'm looking for more and better documentation.

  • About the keys: Is there a preferred format? RSA, DSA?
  • Preferred bits: 2048? 4096?
  • Is there any difference between the private and public keys generated with "git bash" ssh-key-gen, and PuTTY key generator?
  • Is the OpenSSH key format acceptable? Old format or new?

I have been confused about using ssh-copy-id to send a public key from client to server. The server needs to allow password auth in order to save .ssh/authorized_keys. What's the usual way of getting the public key into a server if we have password auth turned off ... specifically because we're trying to implement 100% pubkey auth?

I'd like to get more control over .ssh/known_hosts:

  • Does this file get updated with every host used for a given SSH pubkey user?
  • Should we load the file manually to accept connection from a specific host? If so, what is the source of that data?

Ideally I'd like the client application to decide how it's going to authenticate: If the client is set for pubkey and it has a valid private key, allow the login. If the client app is set to use a password, prompt for a password.

Finally, looking at sshd -T | sort I've been confused when I see a password prompt in the client while passwordauthentication is "no" in the server and pubkeyauthentication is "yes". I'm guessing the pubkey auth is failing and its falling back to password.

As you can see I've been struggling with this one system, where the config looks like others in front of me, but I'm unable to consistently and intentionally configure password versus key auth correctly.

In summary I think I need to set loglevel VERBOSE, and look carefully at the client and server exchanges to see what's wrong. I'm hoping someone can point to great docs that focus on this area of diagnostics. Remember, I'm hoping more to understand how to diagnose the issues than to just get "set x to y", but I'll take what I can get. :)

Thanks!

TonyG
  • 187
  • 1
    ssh-copy-id: You are correct that it is a chicken-and-egg problem. You must enable password access for the couple minutes required to run ssh-copy-id, then disable. Starting with Ubuntu Core and Ubuntu Server 20.04, downloading your pubkey from UbuntuOne is a secure method that's baked into the Ubuntu instller. – user535733 May 20 '21 at 20:47
  • Welcome to Ask Ubuntu. This is a question answer site, not a discussion forum. We try to solve one problem at a time, and prefer that you ask one question at a time. Opinion based questions like "which is better?" are off-topic here. Please see the site help for ore. Having said all that, I will try to answer as many of your questions as I can. – user68186 May 20 '21 at 21:20
  • @user535733 - I know nothing about UbuntuOne. That's a good lead, thanks. – TonyG May 28 '21 at 15:39
  • @user68186 - I really get that, but as you see, individual questions without context would lead to a distributed set of Q&A that won't lead anyone else to a single conclusion. This is why I've focused the question as being "how do I approach this problem?" rather than asking about many detailed points. The general issue here is that I don't know all of the questions I should be asking, and I suspect others would be in a similar position, which is why I came here and asked this as I did. So thanks for some slack on this one on the matter of protocol, and for your Answers. – TonyG May 28 '21 at 15:41

0 Answers0