SSH with SSL private key to CentOS7 with ASF public key

Advertisement

AzaDO
Guest

SSH with SSL private key to CentOS7 with ASF public key

WinSCP works like a champ using a password to sign into SSH on my dedicated CentOS LAMP server.

I gather using a public SSL key on the server and the corresponding private key on WinSCP is significantly more secure.

But for the life of me I've not been able to make a connection using keys.

CentOS7 wants an RSA public key. WinSCP wants a PuTTY formatted private key. Using PuTTYgen from the WinSCP "Tools" pull-down I picked RSA and cranked out what should be a SSH-2 2048 bit pair of SSL keys.

PuTTYgen dutifully produced a line of plain text in the "Public key for pasting into OpenSSH authorized_keys file". So I made a one line plain text file called "id_rsa_pub" and uploaded it to /root/.ssh/authorized_keys/ on the server and set the permissions to 0600 (I also tried 0700). After making a few diddles to the /etc/ssh/sshd_config file to enable PubkeyAuthentication and point AuthorizedKeysFile to ".ssh/authorized_keys" I restarted the sshd service.

Turning back to WinSCP I hit the "Save private key" button and PuTTYgen saved the private key as "id_rsa.ppk". All that remained was to use WinSCP's Advanced Site Settings to uncheck "Allow Agent Forwarding" and pick "id_rsa.ppk" as the "Private key file".

It didn't work. All I get is a "Server rejected key" message.

Needless to say I tried all sorts of permutations and regenerated the keys just to be sure. Each try was met with a "server rejects the WinSCP private key" message.

Obviously while all of this was going on I maintained another instance of WinSCP connected to the server using a password. Once sshd_config was reconfigured to use SSL keys and I restarted the sshd service there would be no way to regain access to the server to unwind my changes.

So the question is "does keeping an instance of WinSCP open and connected to my server cause a second instance of WinSCP to fail to connect using SSL keys?"

Any insight is welcome.

Aza D. Oberman 3/12/2018

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: SSH with SSL private key to CentOS7 with ASF public key

AzaDO wrote:

PuTTYgen dutifully produced a line of plain text in the "Public key for pasting into OpenSSH authorized_keys file". So I made a one line plain text file called "id_rsa_pub" and uploaded it to /root/.ssh/authorized_keys/ on the server and set the permissions to 0600 (I also tried 0700). After making a few diddles to the /etc/ssh/sshd_config file to enable PubkeyAuthentication and point AuthorizedKeysFile to ".ssh/authorized_keys" I restarted the sshd service.
The line from PuTTYgen should be stored to .ssh/authorized_keys file, not to some file in .ssh/authorized_keys folder.
See https://winscp.net/eng/docs/guide_public_key

Reply with quote

AzaDO
Guest

what "some file"?

Text on a clipboard in not yet a file. An empty file must be created and the clipboard contents pasted into the file. After a check to be sure the text is still on one line the file is saved.

In my case the file name is "id_rsa_pub". The file is then stored on the server in the ".ssh/authorized_keys" folder (sub-directory) and assigned 0600 or 0600 permissions.

Surely you are not suggesting the public key be placed in a file named "authorized_keys"! The /etc/ssh/sshd_config file explicitly states that that for PubkeyAuthentication the AuthorizedKeysFile containing the keys (presumably with any name) is in the ".ssh/authorized_keys" *folder*.

Regards,

Aza

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: what "some file"?

AzaDO wrote:

Surely you are not suggesting the public key be placed in a file named "authorized_keys"!
Surely, I'm suggesting exactly that.

The /etc/ssh/sshd_config file explicitly states that that for PubkeyAuthentication the AuthorizedKeysFile containing the keys (presumably with any name) is in the ".ssh/authorized_keys" *folder*.
You will have to show us that "explicit statement".

https://man.openbsd.org/sshd_config says (note the part emphasized by me):

Specifies the file that contains the public keys used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8). Arguments to AuthorizedKeysFile accept the tokens described in the TOKENS section. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. Alternately this option may be set to none to skip checking for user keys in files. The default is “.ssh/authorized_keys .ssh/authorized_keys2”.

So the .ssh/authorized_keys refers clearly to a file, not any folder.

Reply with quote

Advertisement

You can post new topics in this forum