Charlie de Courcy said the following on 19/08/08 11:22:
> Morning all.
>
> I'd successfully set up ssh on my Ubuntu (8.04) box to allow remote
> logins of three users using publickey as the only auth method.
>
> This was working absolutely perfectly and ignoring the -not broke, dont
> fix it- mantra I decided to try and patch openssh with sftplogging /
> sftpfilecontol to get a general idea of popular files being transferred.
>
> From: http://ubuntuforums.org/showthread.php?t=212476
>
> I followed the instructions down to:
> sudo aptitude install patch patchutils fakeroot
> sudo aptitude remove openssh-server
> sudo dpkg --purge openssh-server
> sudo apt-get build-dep openssh-server
> sudo aptitude update
> sudo aptitude upgrade
> apt-get source openssh-server
>
> I then realised there wasn't a patch available for my current openssh
> version (v1.7). Cursing for not checking this before I installed ssh again
>
> sudo aptitude install ssh-server ssh
>
> I then followed the instructions again here:
> http://ubuntuforums.org/archive/index.php/t-30709.html to re-sync the
> public keys (laptop vs box) and alter the /etc/ssh/sshd_config to get it
> back to it's previous state, and destroying known_hosts on my laptop.
>
> Alas for some reason it isn't working, I'm sure I'm missing something
> obvious.
>
> When I ssh from my laptop:
>
> $ ssh charlie@192.168.1.2
> Permission denied (publickey).
>
> Even though the local ~/.ssh/id_dsa.pub has definitely been cat >> to
> box:/home/me/.ssh/authorized_keys (I've tried this method also to $ssh
> localhost also)
>
> I'm stuck and confused, and on loop. Any suggestions?
>
> Thanks,
> Charlie
>
> I've backed up the post-purged /etc/ssh/ssh_conf but this no longer
> exists in the current dir.
>
> box:/etc/sshd_config
>
> sshd_config ssh_host_dsa_key ssh_host_rsa_key
> sshd_config~ ssh_host_dsa_key.pub ssh_host_rsa_key.pub
> root@the-box:~# cat /etc/ssh/sshd_config
> # Package generated configuration file
> # See the sshd(8) manpage for details
>
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will
> bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
> LoginGraceTime 20
> PermitRootLogin no
> StrictModes yes
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile %h/.ssh/authorized_keys
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware
> issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Change to no to disable tunnelled clear text passwords
> PasswordAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> UsePAM yes
>
>
>
Fixed! As always the answer comes after the post.
I found the permissions on my home directory were not 'secure' enough
for ssh
Cheers,
Charlie
