Ethernet and Coffee

SSH key based auth setup notes

if you don’t have keys already, generate them if you do have keys skip this step

ssh-keygen -t rsa

use pw auth to create a .ssh dir on the remote host

ssh userid@target mkdir -p .ssh

use pw auth to install the local key on the remote host

cat .ssh/|ssh userid@target 'cat >> .ssh/authorized_keys'

now test, you should not be prompted for a password

ssh userid@target

if you are still prompted for a password, then some dir or file perms are probably wrong use pw auth to set home and .ssh dir perms

ssh userid@target chmod 700 .ssh
ssh userid@target chmod 700 .

use pw auth to set .ssh file perms

ssh userid@target chmod 600 .ssh/*

now try it again, and it should work

ssh userid@target

If it still doesn’t work start up a secondary SSH daemon on the target system in debug mode using a different port with

/usr/sbin/sshd -d -p 2222

and connect to it with

ssh -p 2222 userid@target

Look for errors related to reading the public key file like:

debug1: trying public key file /path/to/home/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /path/to/home/

If you’re trying to connect to an older Cisco switch, like a C3560, you need to generate RSA keys and enable SSH version 2 with these config commands

crypto key generate rsa general modulus 1024
ip ssh version 2

Now, when connecting from a newer ssh client, you may get errors like this

ssh userid@old-cisco-switch
Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Unable to negotiate with port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

So you’ll have to tell the ssh client to use deprecated Kex and Ciphers like this

ssh -o "KexAlgorithms diffie-hellman-group1-sha1" -o "Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" userid@old-cisco-switch