I'm an average admin supporting my own systems, not getting paid to be a professional. I've setup many systems for SSH with passwords and with private keys. This one is weird. I don't necessarily want to diagnose the issue here. I need help to know what I should be looking at to diagnose it myself for now and next time. I've read a lot of "how to implement pubkey / private key auth" blogs and wikis. I need more specific details that apply to Ubuntu 20.04+. I'm looking for more and better documentation.
- About the keys: Is there a preferred format? RSA, DSA?
- Preferred bits: 2048? 4096?
- Is there any difference between the private and public keys generated with "git bash" ssh-key-gen, and PuTTY key generator?
- Is the OpenSSH key format acceptable? Old format or new?
I have been confused about using ssh-copy-id to send a public key from client to server. The server needs to allow password auth in order to save .ssh/authorized_keys. What's the usual way of getting the public key into a server if we have password auth turned off ... specifically because we're trying to implement 100% pubkey auth?
I'd like to get more control over .ssh/known_hosts:
- Does this file get updated with every host used for a given SSH pubkey user?
- Should we load the file manually to accept connection from a specific host? If so, what is the source of that data?
Ideally I'd like the client application to decide how it's going to authenticate: If the client is set for pubkey and it has a valid private key, allow the login. If the client app is set to use a password, prompt for a password.
Finally, looking at sshd -T | sort
I've been confused when I see a password prompt in the client while passwordauthentication is "no" in the server and pubkeyauthentication is "yes". I'm guessing the pubkey auth is failing and its falling back to password.
As you can see I've been struggling with this one system, where the config looks like others in front of me, but I'm unable to consistently and intentionally configure password versus key auth correctly.
In summary I think I need to set loglevel VERBOSE, and look carefully at the client and server exchanges to see what's wrong. I'm hoping someone can point to great docs that focus on this area of diagnostics. Remember, I'm hoping more to understand how to diagnose the issues than to just get "set x to y", but I'll take what I can get. :)
Thanks!