# SSH questions

## speak_see_hear

I emerged openssh, 

added it with rc-update add sshd default

I would like to be able to access my Gentoo box from work (Win 2000) box using putty.  How do I do this??  I have ssh running but I cannot login.  when I try I get no connection available messages from  putty.  please help.

thanks

----------

## guero61

The first thing to do is establish that sshd is actually running.  If you've rebooted since you rc-updated, it should be running.  Still, do this:

```

ps -awef | grep sshd

- or -

/etc/init.d/sshd status

```

You should see an sshd process sitting out there.  If not, that's your first issue.  Try running /etc/init.d/sshd start

Next, if sshd is running, make sure you've used puttygen.exe to generate a private key; your box won't allow connections without it.

Finally, if none of those work, it has to be a configuration issue on the ssh box; take the config apart, look into it, and see if it's limiting connections somehow.

Just re-reading your post, you're connecting from work?  That may be an issue -- they may have external SSH traffic blocked.

----------

## OdinsDream

 *guero61 wrote:*   

> The first thing to do is establish that sshd is actually running.  If you've rebooted since you rc-updated, it should be running.  Still, do this:
> 
> ```
> 
> ps -awef | grep sshd
> ...

 

I'm not sure what you mean by the "puttygen.exe" statement, I've had success connecting without any such steps...

----------

## st. anger

when i connect from my school, i have to use a different port.  i have my router to forward connections from that  port to my ssh box

----------

## guero61

 *OdinsDream wrote:*   

> 
> 
> I'm not sure what you mean by the "puttygen.exe" statement, I've had success connecting without any such steps...

 

You don't have a private key for your putty box?  Not only is that incredibly unbelievable, it's incredibly strange.  SSH relies on encryption, which relies on a key.  That is, unless you utterly defeat the purpose of SSH (Secure SHell) and run an unencrypted session.  Many windows X-managers handle the key generation and handling behind the scenes.  Are you using one of those?

I'm sorry, it's just really strange.  Never have I heard of a machine accepting ssh connections without an encryption key.

----------

## dermot

I've never had to generate a key either, whether I'm using Putty or a *nix ssh client. The server provides the public key, which is added to .ssh_known or to Putty's keyring. There's no real benefit in both the client and the server providing a key - in fact I'd say it would be problematic, since everything would have to decrypted/encrypted twice, once with each key combo!

----------

## guero61

My machines have always refused connection unless I have a loaded private key on my putty box.  I know *nix boxes generate their own -- it's done when the sshd starts for the first time.  That's really curious.

----------

## dermot

It could be the way you have yours configured, or it could be simply that putty sends sshd a public key without telling you.

I'm by no means an expert on this, so I stand to be corrected   :Very Happy: 

Actually, now that I think about it, it would probably make sense because data going from the server to the client would have to be encrypted using the client's public key. The alternative is for the data to be encrypted with the server's private key and then decrypted on the client with the server's public key. This would probably be insecure, since the public key is just sent hashed initially and anyone listening would be able to decrypt subsequent messages from the server.

Anyone with an interest in security care to enlighten us about this?

----------

## guero61

I'm not a security expert, but this is the reason I thought every *ix machine running SSH has a key, sshd or not.

----------

## jt42

It could be that 'rhosts' is enabled in sshd_config, and the systems are using a .rhost file to "authenticate".

Needless to say this is not the default.

If you (those who are getting connections without keys) run ssh with the '-v' flag are you seeing any KEXINIT messages?

-john

----------

## PowerFactor

I think you guys are getting your keys mixed up.  sshd generates a host key that it uses for encryption the first time it is started.  puttygen generates public and private authentication keys, like ssh-keygen.  Those are unique to each user.  You need the host key for ssh to work. But sshd is by default configured to allow password authentication so you don't need authentication keys to login.

----------

## guero61

Like my real keyring; too many danged keys!  :Razz: 

----------

## jt42

client and server exchange host keys (this is what generates the 'not in known_hosts' message the first time a connection happens) and then authentication starts.

At this point rhost|passwords|user keys takes over to authenticate.

"Too many keys"

I simplified my life in a big way by getting a keyfob USB drive that I carry with all of my public encryption (ssh+gnupg) keys. I also store my host keys there for the times when I can't resiest the urge to re-install and OS.

Of course I'm totally screwed if I lose my keyring.

-john

----------

## guero61

You know you're too much of a geek when...

You mistake "keyring" for "keyring".  I can't carry my keys in my pocket -- there are too many of them.  :Laughing: 

Indeed, it seems that putty will work without my loading a key into paegant.  Hmmm...

----------

## neilhwatson

Powerfactor is correct.  The hostkey encrypts the data and you can authenticate via password or keypair.  Personally, I prefer using a key pair as you really can't guess a key as you can a password.  Also, using key pairs and keychain allows you to automate rsyncs via ssh for things like backups.

Once my gentoo is up and running I usually disable password authentication and root logins in the sshd_config file.

----------

