secure ssh with public key

[milo974]

Hello,
i ve installed openbsd 4.3 on my laptop. (ip : 192.168.0.80)
i ve configure sshd_config :
...
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
...

i ve created a user : wesley with password
Open session with wesley and hit :
cd $HOME
ssh-keygen -t rsa -b 2048
cd .ssh
cat id_rsa >> authorized_keys
i ve copied the id_rsa on my usb key
logout

Open session with root to restart sshd

On an other computer (xp with putty)
i want to have ssh access on : 192.168.0.80
I have the following error :
Unable to use key file "f:\id_rsa.pub" (OpenSSH SSH2 Private key)

can you help me please.
thank's

[robbak]

You need to provide the private key to putty, and the public key to OpenSSH.

So (if I have this right)

cat id_rsa.pub >> authorized_keys

and then specify the id_rsa file for putty

That said, I think that putty uses it's own format for ssh keys. I set this up using puttyen, available wherever good puttys are downloaded.. It produces the files as putty wants them, and provides the authorized_keys text for easy pasting.

[jggimi]

General guideline for using public keys for authentication:
----

These are actually "key pairs" -- there are two halves which must be combined. Think of a lock that has two keyholes, where two different keys must be inserted and turned in order to open the lock.

There are two types of keys that make up a "key pair" -- a public key, and a private key. The public key is perfectly safe to send in-the-clear; via e-mail, posted on a web page, whatever. The private key should be kept private.

In actual practice with SSH between two people who wish to be client and server via SSH, and who are using public communication -- perhaps e-mail or instant messaging or text messages by cell phone, or shipping a diskette / CD / memory stick -- the person who will operate the client generates a key pair and sends the public "half" to the server administrator. No private information needs ever be sent via public methods at any time.

(If there is a private method for transferring private keys, then the key pair may be generated at the server or on an unrelated system.)

During authentication, the private key is used to generate an encrypted signature which can only be confirmed by decrypting with the public key. It proves that the sending station used the private key.

OpenSSH servers generate their own key pairs (on OpenBSD, in /etc/ssh) that are used to create a "fingerprint" which is used to confirm the server to clients. This fingerprint is stored in ~/.ssh/known_hosts for OpenSSH clients.

[milo974]

thank's , i need puttygen, it works

[phoenix]

For the archives: PuTTY doesn't use standard SSH keys. It uses it's own format. You have to convert (import SSH key into puttygen, save key to .ppk file) the OpenSSH keys in to PuTTY ppk files first. Just the private key. After that, you can connect via PuTTY using keys.

[milo974]

How can i remove prompte login and my passphrase ?
I ve tried to use ssh-add and ssh-agent (i ve read man page) but i don't understand how to use it...
thank's

[robbak]

milo, we will need a little more information on what you have tried. ssh-agent is used to automatically provide the password to password-protected keys, and is not required unless you password-protect your ssh key.

Please tell us exactly what you want to achieve, and how you have attempted to achieve it.

[milo974]

when i'm connect by putty to my firewall openbsd, i ve :
login as:
Welcome to the most secure platform.
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":

I want to remove login and passphrase if it is possible...
If someone can help me.
thank's

[phoenix]

In PuTTY, under the SSH -> Auth section, you can set the username to login as.

You *really*, really don't want to remove the passphrase from your key. If you do, and someone copies it, they will be able to login to your system without any passwords needed.

[Carpetsmoker]

You can use putty agent to remember the passphrase ... You would only need to use it once ...

[revzalot]

I don't like using agent because if someone hacks into your client account, the hacker can login into your firewall automatically. Passphrase adds that extra layer of security. Yes I'm paranoid when it comes to security.

[phoenix]

Quote:

Originally Posted by revzalot

I don't like using agent because if someone hacks into your client account, the hacker can login into your firewall automatically. Passphrase adds that extra layer of security. Yes I'm paranoid when it comes to security.

Only if he hacks in while you are logged in, and have the agent running. If the agent isn't running, then he would still have to crack the passphrases on your keys.