Apr 18, 2018 Copy the Public Key to CentOS Server The quickest way to copy your public key to the CentOS host is to use a utility called ssh-copy-id.
one went into ~/.ssh, the other into ~/ then I added the public key from ~/ to authorized_keys: [code]# cat ~/id_rsa.pub > ~/.ssh/authorized_keys[/code] then I restarted sshd. I then moved the key pair from ~/ to ~/.ssh/ on a different box. Now, ssh to the original CentOS box does not work. Here is the debugging output sshd -Dddd [code] debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 681 debug2: parse_server_config: config /etc/ssh/sshd_config len 681 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:26 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:47 setting RSAAuthentication yes debug3: /etc/ssh/sshd_config:48 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:49 setting AuthorizedKeysFile ~/.ssh/authorized_keys debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:80 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes debug3: /etc/ssh/sshd_config:96 setting UsePAM yes debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:102 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:108 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:131 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-Dddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 681 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.0.7 port 3157 debug1: Client protocol version 2.0; client software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 1514 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 776 bytes for a total of 797 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 949 debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 518/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 514/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug3: mm_answer_sign: signature 0x152a590(271) debug3: mm_request_send entering: type 6 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1669 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1717 debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 192.168.0.7. debug2: parse_server_config: config reprocess config len 681 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: input_userauth_request: setting up authctxt for root debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 80 bytes for a total of 1797 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug1: PAM: initializing for 'root' debug1: PAM: setting PAM_RHOST to '(server).(domain).local' debug1: PAM: setting PAM_TTY to 'ssh' debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 21 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 22 debug3: mm_request_receive entering debug3: monitor_read: checking request 21 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x152cc70 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' debug3: secure_filename: terminating check at '/root' debug1: matching key found: file /root/.ssh/authorized_keys, line 1 Found matching RSA key: b3:d3:a4:2a:b3:e8:ec:d0:61:96:fd:01:00:34:ad:c6 debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x152cc70 is allowed debug3: mm_request_send entering: type 22 debug3: Wrote 320 bytes for a total of 2117 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for root from 192.168.0.7 port 3157 ssh2 debug3: mm_request_receive entering debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug3: mm_key_allowed entering debug3: mm_request_send entering: type 21 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 22 debug3: mm_request_receive entering debug3: monitor_read: checking request 21 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x152ea78 debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: trying public key file /root/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' debug3: secure_filename: terminating check at '/root' debug1: matching key found: file /root/.ssh/authorized_keys, line 1 Found matching RSA key: b3:d3:a4:2a:b3:e8:ec:d0:61:96:fd:01:00:34:ad:c6 debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x152ea78 is allowed debug3: mm_request_send entering: type 22 debug3: mm_key_verify entering debug3: mm_request_send entering: type 23 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 23 debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyverify: key 0x152ec98 signature verified debug3: mm_request_send entering: type 24 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) debug3: mm_request_send entering: type 52 Accepted publickey for root from 192.168.0.7 port 3157 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 25 debug3: mm_request_receive entering debug3: mm_do_pam_account returning 1 debug3: Wrote 32 bytes for a total of 2149 debug3: mm_send_keystate: Sending new keys: 0x1520418 0x1522310 debug3: mm_newkeys_to_blob: converting 0x1520418 debug3: mm_newkeys_to_blob: converting 0x1522310 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 25 debug3: mm_send_keystate: Finished sending state debug3: mm_newkeys_from_blob: 0x152ea18(118) debug2: mac_setup: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x152ea18(118) debug2: mac_setup: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug1: temporarily_use_uid: 0/0 (e=0/0) debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism debug1: restore_uid: 0/0 debug1: SELinux support enabled debug3: ssh_selinux_setup_pam_variables: setting execution context debug1: PAM: establishing credentials debug3: PAM: opening session debug3: PAM: sshpam_store_conv called with 1 messages PAM: pam_open_session(): Authentication failure debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: Entering interactive session for SSH2. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype [email protected] want_reply 0 debug3: Wrote 48 bytes for a total of 2197 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/0 debug3: ssh_selinux_setup_pty: setting TTY context on /dev/pts/0 ssh_selinux_setup_pty: security_compute_relabel: Invalid argument debug3: ssh_selinux_setup_pty: done debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug2: fd 3 setting TCP_NODELAY debug2: channel 0: rfd 9 isatty debug2: fd 9 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug3: Wrote 112 bytes for a total of 2309 debug1: Setting controlling tty using TIOCSCTTY. debug3: Wrote 112 bytes for a total of 2421 debug3: Wrote 80 bytes for a total of 2501 debug3: Wrote 112 bytes for a total of 2613 debug2: channel 0: read<=0 rfd 9 len -1 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug3: Wrote 32 bytes for a total of 2645 debug1: Received SIGCHLD. debug1: session_by_pid: pid 1516 debug1: session_exit_message: session 0 channel 0 pid 1516 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug1: session_pty_cleanup: session 0 release /dev/pts/0 debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: Wrote 160 bytes for a total of 2805 debug3: channel 0: will not send data after close debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: is dead debug2: channel 0: gc: notify user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug3: session_unused: session id 0 unused debug2: channel 0: gc: user detached debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e -1 c -1 Connection closed by 192.168.0.7 debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: deleting credentials debug3: PAM: sshpam_thread_cleanup entering Transferred: sent 2544, received 2480 bytes Closing connection to 192.168.0.7 port 3157 [/code] ssh -vvv root@(host) [code] OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009 debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.111 [192.168.0.111] port 22. debug1: Connection established. debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/identity type -1 debug3: Not a RSA1 key file /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa type 1 debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0
Generate Ssh Key Centos 7
debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 120/256 debug2: bits set: 543/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /cygdrive/c/Documents and Settings/(user)/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.111' is known and matches the RSA host key. debug1: Found key in /cygdrive/c/Documents and Settings/(user)/.ssh/known_hosts:1 debug2: bits set: 502/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/identity (0x0) debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa (0xaabf08) debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /cygdrive/c/Documents and Settings/(user)/.ssh/identity debug3: no such identity: /cygdrive/c/Documents and Settings/(user)/.ssh/identity debug1: Offering public key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa debug3: no such identity: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [/code] Here is my sshd_config: [code] # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile ~/.ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of 'PermitRootLogin without-password'. # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes
Ssh On Centos
#AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no
Generate Ssh Public Key Centos 10
#UseDNS yes
Generate Ssh Public Key Centos Server
#PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server [/code]
Introduction
Secure Shell (SSH) is an encrypted protocol used by Linux users to connect to their remote servers.
Generally, there are two ways for clients to access their servers – using password based authentication or public key based authentication.
Using SSH keys for authentication is highly recommended, as a safer alternative to passwords.
This tutorial will guide you through the steps on how to generate and set up SSH keys on CentOS 7. We also cover connecting to a remote server using the keys and disabling password authentication.
1. Check for Existing Keys
Prior to any installation, it is wise to check whether there are any existing keys on the client machines.
Open the terminal and list all public keys stored with the following command:
The output informs you about any generated keys currently on the system. If there aren’t any, the message tells you it cannot access /.ssh/id_*.pub , as there is no such file or directory.
2. Verify SSH is Installed
To check if thw package is installed, run the command:
If you already have SSH, the output tells you which version it is running. Currently, the latest version is OpenSSH 8.0/8.0p1.
Note: Refer to our guide If you need to install and enable SSH on your CentOS system.
Steps to Creating SSH keys on CentOS
Step 1: Create SSH Key Pair
1. Start by logging into the source machine (local server) and creating a 2048-bit RSA key pair using the command:
If you want to tighten up security measures, you can create a 4096-bit key by adding the -b 4096 flag:
2. After entering the command, you should see the following prompt:
3. To save the file in the suggested directory, press Enter. Alternatively, you can specify another location.
Note: If you already have a key pair in the proposed location, it is advisable to pick another directory. Otherwise it will overwrite existing SSH keys.
4. Next, the prompt will continue with:
Although creating a passphrase isn’t mandatory, it is highly advisable.
5. Finally, the output will end by specifying the following information:
Now you need to add the public key to the remote CentOS server.
You can copy the public SSH key on the remote server using several different methods:
using the ssh-copy-id script
using Secure Copy (scp)
manually copying the key
The fastest and easiest method is by utilizing ssh-copy-id. If the option is available, we recommend using it. Otherwise, try any of the other two noted.
1. Start by typing the following command, specifying the SSH user account, and the IP address of the remote host:
If it is the first time your local computer is accessing this specific remote server you will receive the following output:
2. Confirm the connection – type yes and hit Enter.
3. Once it locates the id_rsa.pub key created on the local machine, it will ask you to provide the password for the remote account. Type in the password and hit Enter.
4. Once the connection has been established, it adds the public key on the remote server. This is done by copying the ~/.ssh/id_rsa.pub file to the remote server’s ~/.ssh directory. You can locate it under the name authorized_keys.
5. Lastly, the output tells you the number of keys added, along with clear instructions on what to do next:
1. First, set up an SSH connection with the remote user:
2. Next, create the ~/.ssh directory as well as the authorized_keys file:
3. Use the chmod command to change the file permission:
chmod 700 makes the file executable, while chmod 600 allows the user to read and write the file.
4. Now, open a new terminal session, on the local computer.
5. Copy the content from id_rsa.pub (the SSH public key) to the previously created authorized_keys file on the remote CentOS server by typing the command:
With this, the public key has been safely stored on the remote account.
1. To manually add the public SSH key to the remote machine, you first need to open the content from the ~/.ssh/id_rsa.pub file:
2. As in the image below, the key starts with ssh-rsa and ends with the username of the local computer and hostname of the remote machine:
3. Copy the content of the file, as you will need later.
4. Then, in the terminal window, connect to the remote server on which you wish to copy the public key. Use the following command to establish the connection:
5. Create a ~/.ssh directory and authorized_keys file on the CentOS server with the following command:
Ssh Public Key Authentication
6. Change their file permission by typing:
7. Next, open the authorized_keys file with an editor of your preference. For example, to open it with Nano, type:
8. Add the public key, previously copied in step 2 of this section, in a new line in (under the existing content).
9. Save the changes and close the file.
10. Finally, log into the server to verify that everything is set up correctly.
Once you have completed the previous steps (creating an RSA Key Pair and copying the Public Key to the CentOS server), you will be able to connect to the remote host without typing the password for the remote account.
All you need to do is type in the following command:
If you didn’t specify a passphrase while creating the SSH key pair, you will automatically log in the remote server.
Otherwise, type in the passphrase you supplied in the initial steps and press Enter.
Once the shell confirms the key match, it will open a new session for direct communication with the server.
Although you managed to access the CentOS server without having to provide a password, it still has a password-based authentication system running on the machine. This makes it a potential target for brute force attacks.
You should disable password authentication entirely by following the outlined steps.
Note: Consider performing the following steps through a non-root account with sudo privileges, as an additional safety layer.
1. Using the SSH keys, log into the remote CentOS server which has administrative privileges:
2. Next, open the SSH daemon configuration file using a text editor of your choice:
3. Look for the following line in the file:
4. Edit the configuration by changing the yes value to no. Thus, the directive should be as following:
5. Save the file and exit the text editor. 6. To enable the changes, restart the sshdservice using the command:
7. Verify the SSH connection to the server is still functioning correctly. Open a new terminal window and type in the command:
In this article, you learned how to generate SSH key pairs and set up an SSH key-based authentication. We also covered copying keys to your remote CentOS server, and disabling SSH password authentication.