FreeBSD and eTokens?

[xyyz]

I though I could do this:

buy a USB flash device. use keypairs for logging onto my FreeBSD box.... making, for all intents and purposes, an eToken system.

so i went out and got the USB device. i made keypairs for a FreeBSD test account. i then copied the id_dsa.pub to authorized_keys2 under i:\sameer\.ssh\

i then had putty point to the USB Device (I as the location for the "Private Key for authentication"

however, when i tried to logon, i got an error message that stated the following:

Unable to use key file "I:\sameer\.ssh\authorized_keys2" (not a private key)

so this is one problem... but the other issue is this. once you have the rsa/dsa keypairs you should no longer be able to login using the user/password combo. however, i was still able to do this.

what gives? my main purpose here is to get a makeshift eToken system running... if i can't do this then I much rather work with the user/password combo.

 

[n0cmonkey]

There should be two keys,and I believe you will need both on your usb thingy. And, on the server, change the UsePassword line to no in /etc/ssh/sshd_config.

 

[xyyz]

Originally posted by: n0cmonkey
There should be two keys,and I believe you will need both on your usb thingy. And, on the server, change the UsePassword line to no in /etc/ssh/sshd_config.

according to the freebsd manual, you need only one... the authorized_key2 which is the same as the id_dsa.pub

as for the sshd_conf file... supposedly all that needs to be done there, has been done by default, in that it is set to accept rsa/dsa keypairs...

the problem is this, if i set the global parameter, then i won't be able to get into the box with any other account... which is going to be a bit pain in the ass. is there any other way to do this?

 

[n0cmonkey]

Originally posted by: xyyz

Originally posted by: n0cmonkey
There should be two keys,and I believe you will need both on your usb thingy. And, on the server, change the UsePassword line to no in /etc/ssh/sshd_config.

according to the freebsd manual, you need only one... the authorized_key2 which is the same as the id_dsa.pub

Ill check on that, but you will need a public and a private key at some point.

as for the sshd_conf file... supposedly all that needs to be done there, has been done by default, in that it is set to accept rsa/dsa keypairs...

the problem is this, if i set the global parameter, then i won't be able to get into the box with any other account... which is going to be a bit pain in the ass. is there any other way to do this?

Set the password to a random 64 character string.

EDIT: If it makes you feel any better, Im getting errors when trying to use key authentication :/

 

[xyyz]

Ill check on that, but you will need a public and a private key at some point.

well, you do need the pair, but only one on the workstation... i guess that's what i was trying to say. i copied the public key on the usd flash device and i renamed it, to what it's supposed to be named.

Set the password to a random 64 character string.

i'm kinda' confused how this is going to help me. if i change the sshd_config settings to allow for only for rsa/dsa authentication, and i'm having problems with getting one of the keypairs to work, it's going to lock me out of the system, because the user/pass combo won't work.

EDIT: If it makes you feel any better, Im getting errors when trying to use key authentication :/

haha... so it's a bit mroe involved than i thought.

 

[n0cmonkey]

Originally posted by: xyyz

Ill check on that, but you will need a public and a private key at some point.

well, you do need the pair, but only one on the workstation... i guess that's what i was trying to say. i copied the public key on the usd flash device and i renamed it, to what it's supposed to be named.

Set the password to a random 64 character string.

i'm kinda' confused how this is going to help me. if i change the sshd_config settings to allow for only for rsa/dsa authentication, and i'm having problems with getting one of the keypairs to work, it's going to lock me out of the system, because the user/pass combo won't work.

If you just want to limit one user (and there is nothing in the sshd_config/sshd manpages about limiting particular users to a particular method of authentication) then you can set that one password to a random string, but leave root and another user's to your config.

EDIT: If it makes you feel any better, Im getting errors when trying to use key authentication :/

haha... so it's a bit mroe involved than i thought.

It appears to be a problem with my ss10. I tried it from a Linux workstation to my OpenBSD server and it worked fine.

 

[n0cmonkey]

Ok, so if I specify the key (-i) it fails with PEM errors, if I let ssh choose the key it works automagically.

I tried with only one key, and it will work fine if it is the non .pub key.

Ill try it with putty now.

 

[xyyz]

what happened with putty?

 

[n0cmonkey]

Originally posted by: xyyz
what happened with putty?

Sorry, forgot to update... putty uses a different key scheme. You may be able to convert your openssh key to a putty key, or even better if you make the keys through putty. Check out their FAQ. They mention not being able to use OpenSSH or SSH.com keys, and mention converting them.

I didnt have time to play around with it till I got it working, but that is probably where the problem lies.

 

[xyyz]

what ssh client are you using instead of putty then? i really rather not switch, but if you have something that works, i'll go with that.

 

[n0cmonkey]

Originally posted by: xyyz
what ssh client are you using instead of putty then? i really rather not switch, but if you have something that works, i'll go with that.

I use putty when in Windows, but I only use Windows at work.

Ill play with it some more when I get time at work or if I setup a Windows machine soon. If you play around with it and get it to work, let me know.

 

[xyyz]

there's a file by the putty people called puttygen.exe... it seems to convert keys and what not.

there is one problem though. with freebsd, you need to store the private key on the freebsd machine and have the pub key on the remote machine. putty likes it the other way around. it wants you to have the private key on the remote machine and the pub key on the freebsd box.

anyone know of a workaround?

 

[xyyz]

well this sucks

it still isn't working.

i put the private key on the USB flash device and the public key on the freebsd box.

i get this error when trying to use the key in putty to login:


Server refused our key

 

[Barnaby W. Füi]

Originally posted by: xyyz
there's a file by the putty people called puttygen.exe... it seems to convert keys and what not.

there is one problem though. with freebsd, you need to store the private key on the freebsd machine and have the pub key on the remote machine. putty likes it the other way around. it wants you to have the private key on the remote machine and the pub key on the freebsd box.

anyone know of a workaround?

The public key should always be on the server, and the private key on the client (assuming you trust the client machine). The public key can be put anywhere safely, that's why it's called the public key. The private key should be on your personal private machine, and it is what is used to generate a public key which your client sends to the server, and the server verifies against the public key it has. There is also some random number negotiation and a bunch of other stuff I am missing out and/or forgetting, but that's the basics. Basically: the client needs the private key to get password-less authentication, because if it only needed the public key for authentication, then the you would *NOT* want to have the public key public, since anyone with it could gain access to your login, and thus it would not be called public

Search on google for the 3 part series daniel robbins wrote on ssh for ibm developerworks, it is how I learned how ssh really works (and alot of general cryptography concepts).

 

[Barnaby W. Füi]

Oh, and your authorized_keys files are *not* keys. They are text file lists of key/user/host combinations that are authorized to be able to connect.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys2

Basically you need to generate your id_dsa, id_rsa, id_dsa.pub, id_rsa.pub files, do the 2 commands I just listed above, copy the .pub's to the remote server, and then you should be able to connect via key auth. (I think, haven't set up ssh again in a while)

 

[xyyz]

thanks for that ibm site info... i'll read it after i get this working.

i do know that the private key goes on my flash device and the pub key goes on my server (freebsd box) (actually i wasn't clear on this before, but i am now)... i also know to rename id_dsa.pub to authorized_keys2... i also know where to place them.

the problem is that i have DONE all this... but this authentication system STILL will not work for me.

 

[xyyz]

alright... this works... don't ask me how.

now i'm having an issue with allowing only for a key/pair authentication system.

i do not want to allow for user/pass login.

i did the following change

---
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
---

but this still allows for user/pass authentiction.

and yes, i did restart sshd.