Putty & Certificate Authentication.

Putty & Certificate Authentication.

Can any one help?

Scenario

I have 2 ESX 3.0.2.Upd1 host machines that are managed from a laptop.  Using PuttyGen I have created my id_rsa.txt, id_rsa.pub and id_rsa.ppk  keys. I have then FTP'd my id_rsa.txt to /$home/.ssh directory and  changed the permissions to -rw-------- and ownership to owner:owner, and  renamed teh file authorized_keys. I have then started up Putty in the  normal way and configured it to use the id_rsa.ppk previously created.

Problem

I get either "Server Refused Key" or "No Authentication Methods Available".

Other Info

I have accepted the Key request that appears on opening a Putty  connection for the first time. But this is not using the keys that I  have created and thus doesn't fulfil the security criteria that have  been set. The end result must be certificated authentication with all  other means disabled. Currently I have bypassed this by ammending the  sshd_config file.

Is there a file or cache that holds the keys that can be flushed or  deleted or ammended to clear out any spurious or out of date keys?


Hello,

Please give the exact puttygen steps you took.

Also the exact changes you made to sshd_config.

Otherwise we are shooting in the dark here.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and  Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO  Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization


To create my keys I did teh following:

1 Open PuttyGen and select Generate, move the cursor around the space to generate the key.

2. Enter a "Key comment" for Reference purposes.

3. Enter a "Key Passphrase" then "Confirm Passphrase".

4. Click on "Save Public Key" and save it as a id_rsa.pub on the desktop.

5. Click on "Save Private Key" and save it as a id_rsa.ppk on the desktop.

6. Highlight, and copy the contents of the key window "ssh-rsa....to end, and paste into Notepad. Save as id_rsa.txt.

The id_rsa.txt is then ftp'd over to the ESX Host into the /$home/.ssh and renamed authorized_keys

As I said previously change ownership and permissions, and as far as I am aware, that should be it.

To use, open Putty, enter IP Address, select SSH/Auth from the Catagory tree, browse to my id_rsa.ppk file and click Open.

That is as far as I get.

The problem is that this has been working in our test environment, and I  am doing nothing different. The systems are identical except for one  factor and that is that the test environment was set up and is being  managed from the same laptop. However the Dev environment was set up  with one laptop, and managed with another having moved teh .ppk file  across. I thought there may be some tie in between hardware and key so I  generated a new set of keys with the new laptop, but it still fails.  That is why I enquired if there was some sort of cache of keyfile that  gets written to, that could be cleared.

The only change I made to the sshd_config was to enable Password  Authentication so that if and when the certificate failed I could still  log on. This eventually will need to be disabled once I have sorted out  this problem.


Hello,

THere is no keyfile cache. Are you trying to get in as root or another user? Root will not work by default.

Look in ~/.ssh/authorized_keys and see if you have two lines with the same comment. Sometimes that is the issue.

Did you add it to the proper users authorized_keys file?

Simple things, I know but there is no cache mechanism for sshd. You  could always do 'service sshd restart' and that will clear anything out  that was there.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and  Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO  Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization


Hi Edward,

I am using a user that has admin privilages, and once logged on su to  root. I have looked at the authorized keys file, and there is only one  key in it, the one that I created using Putty?

I cannot see any reason why this configuration doesn't work. I have done  all the things that you suggest, during my fault diagnosis but cannot  coome up with a cause.

My interntion is to build a stand alone host and try to either re-create  the fault or see if re-building the host and starting with a clean  sheet will cure the problem.

I will keep you posted as to my success/failure...


Hi again Edward,

Thanks for your help thus far, just to give a quick update. I haven't  been able to reproduce the problem, but I have been able to get  everything to work as expected. This leads me to believe my original  thought about a user profile issue was the culprit although not proven. I  think that the solution to my problem will be to remove the offending  profile and recreate it. Then generate a fresh pair of keys, and take it  from there.

Many thanks for your advice and assistance, this isn't the first timie you've got me out of a hole.

Kind regards

Steve Pickering


Hello Steve,

Just another thought, all items pertaining to SSH logins are logged to  /var/log/secure and /var/log/messages. Do either of these files have  errors pertaining to your login? It could be a permission problem with  some aspect of the ssh subsystem. But recreating the profile and keys is  a good way to go.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and  Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO  Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

This document was generated from the following thread: Putty & Certificate Authentication.

Version history
Revision #:
1 of 1
Last update:
‎09-24-2008 06:39 AM
Updated by: