We Keep Coding

How to SSH using ssh keys

We've recently set up a new Linux box which is on the same local network as the rest of our machines. We want to allow only the machines on the local network to be able to SSH into the new machine, and I was going to do this by creating ssh keys and disabling password authentication.
What I've done is run ssh-keygen -t rsa -b 4096 on the new machine, copy the contents of the public key and put this in the ~/.ssh/authorized_keys file on one of the machines previously set up.
I've then gone into /etc/ssh/sshd_config on the new machine and have this:
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
Those are the only changes I made to this file, and when I try to SSH from the old machine, I get "Permission denied(publickey,gssapi-keyex,gssapi-with-mic)"
If I enable PasswordAuthentication and try to ssh I can log in by entering the user's password, but that's not the goal.
Thanks in advance,
Daniel

If the user you are trying to log in as is root, the directive
PermitRootLogin no
is denying access, regardless the authentication method.
To allow root to log in using keys only, you should set this directive to prohibit-password

Passwordless keybased authentication not working

this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph

You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.

Dropbear -> Openssh: Why does it ask for a password now?

I'm working on an embedded board (i.MX6) with a Yocto-based embedded Linux. So far I used Dropbear as SSH server. However, Dropbear doesn't provide an SFTP server, which I need. Therefore I switched from Dropbear to OpenSSH (built it from the standard Poky sources, and installed it via opkg).
However, since then I cannot login to the board via SSH anymore, because the server asks for a password, which I don't know. The only user is root, and it has no password configured (this is still true, because I can log in locally via RS232 without problems). Why does OpenSSH ask for a password? How can I remove that?
I thought that maybe there's a passphrase set in one of the private keys in /etc/ssh:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
So I did ssh-keygen -p -f /etc/ssh/ssh_host_rsa_key respectively for each of them, but it didn't help.
This is the essential pieces of the sshd_config file:
# grep '^[^#]' /etc/ssh/sshd_config
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem sftp /usr/lib/openssh/sftp-server
Any ideas?

Are you sure that you have debug-tweaks in your IMAGE_FEATURES or EXTRA_IMAGE_FEATURES?
If so, the ROOTFS_POSTPROCESS_COMMAND should include ssh_allow_empty_password(); which in turns should set PermitEmptyPasswords yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config_readonly. That should allow you to use empty passwords with OpenSSH.

If you have "debug-tweaks" in your EXTRA_IMAGE_FEATURES then the password will be blank: this may be ok for development images.
If you want to have some security instead, you can either add a recipe that installs a public key to /root/.ssh/authorized_keys or use the extrausers class in an image recipe or local configuration to set the password.

I can't ssh into my server after setting PubkeyAuthentication and RsaAuthentication to yes and PermitRootLogin to no

I have a problem trying to ssh into my server after I made some changes in sshd_config file. I had changed the PubkeyAuthentication and RsaAuthentication to YES and PermitRootLogin to NO.
How can I access the server using ssh and edit sshd_config file ?

Either with a user that is allowed to login and has setup the correct public keys (which you surely did beforehand?). Or via the server console.
If you find another way i think you should raise a bug report with sshd, as denying this is the goal of your configuration (with my basic ssh knowledge, though).

Problem solved I ssh into my server using another account that has ssh acccess and then I used su command to login as a root and I accessed the server

SSH - Require passphrase entry during public key authentication

I've read up a bit on public key authentication, but I think I'm missing a key aspect.
I have an Ubuntu server I've configured to work as an Subversion server that accepts SVN connections over SSH using a non-standard port. So, to check out, it would something like:
svn co svn+ssh://user#example.com:12345/repos/public
Now, my server currently supports both password based authentication, and public key authentication. Assuming my server at my office is bolted and anchored down, and the firewall and all are working, I don't have to worry about someone copying files off the server.
For my two client laptops, I've generated public-private key pairs, and have added the public keys for the clients to the AuthorizedKeys list on the server via the ssh-copy-id command. I can now SSH into the server from these client laptops without a password.
This concerns me though. If someone breaks into my hotel room and steals my laptop, then they can just pull the hard drive, copy the contents of ~/.ssh to a separate machine, and attempt to log in to my servers effortlessly. If I just used password-based authentication, and just memorize the passwords or store them in an encrypted TrueCrypt archive, it is much safer.
I know that during the creation of my key pairs on the clients, a passphrase had to be entered. Is it possible to require the server to not only validate the public key, but to also require the passphrase to be entered? This seems like a very weak system if all that is required is stealing the laptop of a single employee and copying a file off of it to get total system access.
Thank you.

You can protect the keystore on the client with an additional passphrase so one needs to unlock the key to use it but this is configured on the client and cannot be enforced by the server. Using an SSH-agent you need to unlock a key only once and use it as long as the client is in use.

This is covered on another SO site.
https://serverfault.com/questions/93807/how-do-i-setup-ssh-with-both-private-key-and-password
Here is the example SSHD server script.
#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1
#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh
AllowUsers calomel#10.10.10.3 calomel#192.168.*
AllowGroups calomel
AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
#
#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################