Problems using public key authentication in N900.
 

I installed openssh (server and client) and tried setting up public key authentication to login into the N900 from my Ubuntu machine, but it's not working.
I generated the keys in Ubuntu with ssh-keygen, copied id_rsa.pub to /home/user/.ssh/authorized_keys in the N900 and it still asks for password when I try
ssh user@N900_ip from the Ubuntu machine.
I made sure the folder .ssh is chmod 700 in the N900 and the file /home/user/.ssh/authorized_keys is chmod 600.
(Public authentication works using the N900 as client to login into Ubuntu.)
I also cannot find the ssh logs in the N900 itself.
I thought it would be /var/log/auth.log, as in Ubuntu, but it's not.
Any suggestions?

I apologize it this has been discussed in some other thread.

Re: Problems using public key authentication in N900.
 

Although I've not yet tried SSHing into my N900 yet, on my N800 I used to SSH in as root. If I didn't want privileges (which wasn't often), I'd su to user. Perhaps this will help?

Re: Problems using public key authentication in N900.
 

I don't have an N900
I assume just like any linux, and even the N800, just cd to .ssh,
that is /home/user/.ssh
open the file known_hosts
and clear the contents.

Do this on both ubuntu and the N900, and when you try to ssh next time it should ask if you want to trust the device and then automatically setup a key again.

Again I don't own an N900 but this works for me on my N800 and ubuntu desktop

***EDIT***
sorry idk how much linux experience you have:
you may have to be root when opening the file to be able to save it.
on N900 idk what editor is available. On N800 I just use leafpad, so from the command line I would type:
sudo leafpad .ssh/known_hosts
and this would open the file to edit in leafpad

Re: Problems using public key authentication in N900.
 

Thanks,
I can ssh in as root with password authentication. That is,
I can ssh root@N900_ip and it asks for password and it works. Then as root, I can, as you suggest, su - user, and become "user". But I was trying to login using public keys just because I think it would be more secure in addition to having changed the default root password when I installed openssh server. The next step would be to disable root login.

Re: Problems using public key authentication in N900.
 

Thanks, I will try clearing the known_hosts files. I only have the default vi editor in the N900 and I don't know how to use it very well yet.

Re: Problems using public key authentication in N900.
 

Couple of things to try:

- on embedded type devices (maybe the N900?), the /var directory is sometimes dumped into the /tmp directory... making the directory you're looking for /tmp/var/log
- also are you confusing password with passphrase?

Re: Problems using public key authentication in N900.
 

Mine works. How did you do the copy? Maybe the file
got corrupted.

Does md5sum give the same results on the n900 authorized_keys and the ubuntu id_rsa.pub give the same results?

Try ssh -v
in both directions. The resulting debug output will be
voluminous and maybe obtuse, but any difference may
be a clue.

Re: Problems using public key authentication in N900.
 

Have you tried: ssh -vvv that way you'll get a ton of info. If that fails. try setting that on the server and check what it stores in the log.

Re: Problems using public key authentication in N900.
 

Really - wierd ? Try logging in then do a
to find out which log file it uses; if that doesn't work try /tmp instead.

Re: Problems using public key authentication in N900.
 

Are you logging into the N900 as root?

In that case the authorized_keys file should be in /root/.ssh
HTH

Re: Problems using public key authentication in N900.
 

Hello,

Thanks to everyone who posted a suggestion.
This is what I did, I ssh'ed in as root and gave `user' a password. Then I cleared the known_hosts files in both the N900 and the ubuntu machine. I also chmod'ed to 400 the file authorized_keys in the N900.
(I originally had copied the id_rsa.pub file ssh'ing as root and chown'ed the file to user:users to copy it to /home/users/authorized_keys. )

Now I can ssh in as `user' and I don't get prompted for the password, only the passphrase for the public key.
I plan to edit sshd_config to have
PasswordAuthentication no
PermitRootLogin no

I will also try installing rootsh to become root if necessary.

Thanks,

Re: Problems using public key authentication in N900.
 

I looked in /tmp and /var and there does not seem to be a log file for the ssh server, or anything else for that matter. I read in a post yesterday that apparently one has to install something to have logs. Perhaps it's like that to save space on growing log files?
Thanks,

Re: Problems using public key authentication in N900.
 

Yes, that's the reason: Growing log files would sooner or later create a problem for the common user.

Re: Problems using public key authentication in N900.
 

hi, i have got 2 questions regarding SSH (using OpenSSH) ...

1. How do you shut the daemon down ? :-\
/etc/init.d/ssh stop gives me a message saying SSH stopped. But 'ps aux' shows the server to be running.
kill -9 'pid of /usr/sbin/sshd -D' executes successfully but the SSH sever respawns with a different pid.
Any suggestions ?

2. Is anyone facing performance issues with SSH? i tried using putty to connect to the ssh server running on the N900. But the performance is quite slow. Takes 3-4 second for typed commands to show. Can wifi PSM be a reason ? (http://talk.maemo.org/showthread.php?p=380339)

Appreciate any help. Thanks

Re: Problems using public key authentication in N900.
 

I don't see any problems. One thing you could do to find out if wifi is the issue is to try USB networking first and see if that works correctly.

Re: Problems using public key authentication in N900.
 

will try that out .. seems my machine needs a fresh installation as it does not detect my device for installation .. does an installed pc suite cause any conflicts by any chance ?

any ideas on how to stop the ssh server ?

thanks ..

Re: Problems using public key authentication in N900.
 

Yes, in order for the key to be accepted, the user account needs a password set. Do (as root):
passwd user

The permissions for the ~/.ssh directory and authorized hosts files can be u+rw[x] but must be go-rw[x] (you may want to be able to update known_hosts if shelling out).

Re: Problems using public key authentication in N900.
 

If you want to prevent sshd from running automatically, you can remove it from runlevel 2 by using the update-rc.d script. Alternatively, you can prevent the init.d script from starting the daemon by creating a file in ssh config directory (which you would have to (say) rename in order to start the daemon manually):
touch /etc/ssh/sshd_not_to_be_run.

Not sure if removing the init script from the runlevel would prevent it from respawning, though.

Re: Problems using public key authentication in N900.
 

For starting/stopping sshd use `start sshd` and `stop sshd` respectively. The N900/maemo5 uses upstart instead of sysv-init, startup files are in /etc/event.d/ instead of init.d, the list of services is shown by `initctl list`.

Some notes for those that want to allow ssh for 'user' with publickey authentication without setting a password for the account:

sshd prevents successful authentication since it sees 'user' as locked, i.e. it has a '!' in the /etc/passwd file and there is no /etc/shadow file. The only way I found to change that is to create an /etc/shadow file with 'NP' in the password field for user, e.g.::

user:NP:1000::::::

Then, if the authorized_keys are set up, publickey ssh login works, and until now I have not seen any negative effect because of the new shadow file.
(Please tell me if you can think of one!)

Re: Problems using public key authentication in N900.
 

I'm not sure of any reason to not give the user account a password (on this platform). If enabling any kind of external access methods (and really, for any reason whatsoever), it would seem contrary to general principles of security consciousness. I also recommend assigning a strong root password, to help insulate against generic userland exploits.

If the passwordless method described is chosen, the user MUST disable password authentication in /etc/ssh/sshd_config (or anyone connecting will be granted shell access (and presumably, soon thereafter, root)). I recommend the following settings, regardless:

PermitRootLogin no
PasswordAuthentication no

Also, consider changing the default port if operating in a hostile zone.

If the sshd_config file were overwritten with a "fresh" (unedited) copy, then a passwordless user account would be granted shell access without authentication.

Re: Problems using public key authentication in N900.
 

Amen to the strong root password! However, the method described does not allow passwordless logins, on the contrary, since "NP" is not the hash of any password, login with password is now impossible both locally (as before) and via ssh. (I just verified that by changing my sshd_config and trying.)

My reasoning for not assigning 'user' a password is to avoid any conflicts with other changes during system updates. (Extra file instead of changed file, I still have a root password hash in /etc/passwd though...)
It does not really make a big difference probably, it is, however, actually more secure than assigning a password!

Nevertheless...

... what cowb0y said.

Re: Problems using public key authentication in N900.
 

Thanks for the clarification.