ssh & passphrases on FC2
Bill Gradwohl
bill at ycc.com
Fri Feb 11 21:56:01 UTC 2005
William Hooper wrote:
>And you are using the -i option to tell ssh what key to use, right?
>Perhaps you can provide us with some ssh debug output?
>
>
Your suggestion to supply debug output led me to some experimentation to
supply that output, and that then led me to conclude that I'm not
understanding what certain options are supposed to do.
Here's a base ssh_config file I started with:
Host *
BatchMode no
ChallengeResponseAuthentication yes
ForwardX11 yes
HostbasedAuthentication no
HostKeyAlgorithms ssh-rsa,ssh-dss
KerberosAuthentication no
PasswordAuthentication yes
PreferredAuthentications publickey,keyboard-interactive,password
Protocol 2
PubkeyAuthentication yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
I took this file and modified only one line of it - the
PreferredAuthentications line to specify only one method at a time, and
then hit a remote box via the ssh command. The remote box has
authorized_key* files that contain the keys for the box local to me.
When I use an agent, its seemless. What I'm trying to set up is working
without an agent.
With no agent running and with :
PreferredAuthentications publickey
I ssh to the remote box and get the passphrase prompt only, which is
what I was after originally.
Then I thought "Wait a minute that looks like keyboard interaction to
me, so what does the "keyboard-interactive" option do?
So, with no agent running and with :
PreferredAuthentications keyboard-interactive
I ssh to the remote box and get the password prompt only. Now that is
keyboard interactive, but I never specified it to use the password
method. Strange.
So, with no agent running and with :
PreferredAuthentications password
I ssh to the remote box and get thrown out immediately.
Very confusing!
I've Googled and man paged to try to get definitions for
keyboard-interactive and ChallengeResponseAuthentication as they appear
to have something to do with this confusion.
If you can shed some light on this I'd appreciate it.
--
Bill Gradwohl
bill at ycc.com
http://www.ycc.com
spamSTOMPER Protected email
More information about the fedora-list
mailing list