Paul Stimpson wrote:
> Hi,
>
> I've been using SSH2 to log into my home server for so long I can't remember exactly what I did to set it up. Yesterday I added a new user to the server and I want then to be able to use SFTP.
>
> I created a new user and generated new new id_rsa and id_rsa.pub files (tried several variants of ssh-keygen -t rsa). I added the username to the AllowUsers directive in /etc/ssh/sshdconfig and copied the id_rsa file over to my laptop and put it in a new user's .ssh directory.
>
> If I try to log in using ssh ip.address.of.machine -p <port> -l username -v using the wrong username it goes through verifying the server's fingerprint then bombs, as expected, and an invalid login attempt is written to /var/log/auth.log. If I try with the correct username it goes through the process, the client offers the key then says which auth methods can continue before trying some more and failing. In this case, nothing gets written to /var/log/auth.log. My existing id_rsa for my own account still works.
>
> I'm sure I've done something silly. I think I regenerated all or most of the keys after the dodgy key panic last year. I would be really grateful for any pointers that might get me closer to the solution.
> Sent from my BlackBerry® wireless device
The safest way to do this is to use ssh-keygen to create the directory
structure in the new users home directory after adding the user.
Logon to the destination server.
$ sudo useradd newuser1
$ sudo passwd newuser1
Changing password for user newuser1.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
$ su - newuser1
Password:
$ ls -al
total 32
drwx------ 4 newuser1 newuser1 4096 2009-02-08 14:17 .
drwxr-xr-x 6 root root 4096 2009-02-08 14:16 ..
-rw-r--r-- 1 newuser1 newuser1 18 2008-12-15 11:04 .bash_logout
-rw-r--r-- 1 newuser1 newuser1 176 2008-12-15 11:04 .bash_profile
-rw-r--r-- 1 newuser1 newuser1 124 2008-12-15 11:04 .bashrc
If already created before, remove .ssh directory if you already have one
$ rm -rf .ssh
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/newuser1/.ssh/id_dsa):
Created directory '/home/newuser1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/newuser1/.ssh/id_dsa.
Your public key has been saved in /home/newuser1/.ssh/id_dsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| . |
|. o |
|+ o o S |
|oo. + +. |
|*..+ o. |
|B+ .o.. |
|*E. oo |
+-----------------+
$ ls -al
total 36
drwx------ 5 newuser1 newuser1 4096 2009-02-08 14:17 .
drwxr-xr-x 6 root root 4096 2009-02-08 14:16 ..
-rw-r--r-- 1 newuser1 newuser1 18 2008-12-15 11:04 .bash_logout
-rw-r--r-- 1 newuser1 newuser1 176 2008-12-15 11:04 .bash_profile
-rw-r--r-- 1 newuser1 newuser1 124 2008-12-15 11:04 .bashrc
drwx------ 2 newuser1 newuser1 4096 2009-02-08 14:17 .ssh
$ ls -al .ssh
total 16
drwx------ 2 newuser1 newuser1 4096 2009-02-08 14:17 .
drwx------ 5 newuser1 newuser1 4096 2009-02-08 14:17 ..
-rw------- 1 newuser1 newuser1 668 2009-02-08 14:17 id_dsa
-rw-r--r-- 1 newuser1 newuser1 634 2009-02-08 14:17 id_dsa.pub
This has now created the directory structure with the correct permissions.
Now go to the computer you want to logon from. You will need
openssh-clients package installed
$ which ssh-copy-id
/usr/bin/ssh-copy-id
$ rpm -qf /usr/bin/ssh-copy-id
openssh-clients-5.1p1-3.fc10.i386
Create the new keys and copy the Public key to destination server.
$ ssh-keygen -t dsa
$ssh-copy-id -i .ssh/id_dsa.pub destserver
(or ssh-copy-id -i .ssh/id_dsa.pub 172.168.1.201)
Now you should be able to logon
ssh destserver
John.
P.S. SSH2 is strictly the propriety SSH v2 and not openssh v2 (they use
different key formats and are not compatiable. You can convert from one
to the other using openssh tools).
--
--------------------------------------------------------------
Discover Linux - Open Source Solutions to Business and Schools
http://discoverlinux.co.uk
--------------------------------------------------------------
