# How to create a key for Putty to connect a Gentoo box

## vibidoo

Dear All 

I would like to use putty from Win-dows to connect my Gentoo box (ssh).

The Gentoo security guide explain prretty well how to create a key if you are on a Linux client .But not for a Win_dows Client

My gentoo seem to be well setup , because the key are loading during the boot .

And I setup the /etc/ssh/sshd_config file as notice on the security guide.

But I don't know how to create a key on a Win_dows system

----------

## xpunkrockryanx

it should work right out of the box... no need to do anything extra. just open putty, put the ip address in, select ssh (rather than telnet) and hit enter.

if you've tried that, what error is it that you're getting?

-ryan

----------

## vibidoo

Yes I did 

always the same error :

Network error : connection refused

But do I have to log on my Wind system as a root or a wheel user ?

----------

## magnuson

Are you trying to connect using a password challange or using a public key method?  If it's just a standard password then vibidoo is right, and putty should just work.  On the other hand if you want to use a dsa key to connect with you need to convert the private key you generated with openssh to a format that putty can understand using puttygen.exe which you can find on the putty website.

putty has extensive documentation on this sort of thing

http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8.2.12

----------

## kashani

Does your sshd_config contain this line:

```

ListenAddress 127.0.0.1

```

If it does, comment it out and restart sshd.

kashani, who is off to have words with the whoever put that config into the security doc.

----------

## solatis

When I emerged it, i did /etc/init.d/sshd start and it created the keys on the fly...

----------

## vibidoo

:Kashani:

Yes 

I have ListenAddress 127.0.0.1 on /etc/ssh/sshd_config

I will try to comment it out and to restart sshd.

:Solatis:

My problem is not on my gentoo Box ,I guess I have the right key 

On /etc/ssh , I have many key file as  : ssh_host_dsa_key , ssh_host_dsa_key.pub , ssh_host_rsa_key ssh_host_key_rsa.pub , ssh_host_key ssh_host_key.pub .

My problem is on my wind_ows system , I use it as a client to connect the gentoo  , and putty.exe always send me the same error

----------

## vibidoo

:magnuson:

I downloaded puttytgen to generate public and private keys  pair on my Wind-ows system. 

Once keys are generated what to do with ?

----------

## Jester

I'm having a similar problem.  I just installed SSH the other day on my Gentoo box, and it was working fine until I rebooted.  Now that I've rebooted, it seems not to be working.  I tried to SSH in using Putty, and it "actively refused" my connection.  So, thinking it was maybe a Putty problem, I tried it from my other Gentoo box.  That one got the same error, so of course I'm thinking that there's something wrong with my setup or something....I originally posted the same thing at the last post of this thread

Feel free to answer my other questions...!    :Laughing: 

----------

## kashani

 *Jester wrote:*   

> I'm having a similar problem.  I just installed SSH the other day on my Gentoo box, and it was working fine until I rebooted.  Now that I've rebooted, it seems not to be working.  I tried to SSH in using Putty, and it "actively refused" my connection.  So, thinking it was maybe a Putty problem, I tried it from my other Gentoo box.  That one got the same error, so of course I'm thinking that there's something wrong with my setup or something....I originally posted the same thing at the last post of this thread
> 
> Feel free to answer my other questions...!   

 

I might answer it if you reverted back to the original sshd_config, did you?  :Cool: 

kashani

----------

## vibidoo

Kashani 

you were right I uncomment 

ListenAddress 127.0.0.1 

And I can connect to my ssh port 

Thanks A lot

----------

## Jester

Okay, well, I thought the problem was cos the service wasn't starting up at boot, but that's not it....My sshd_config file looks okay, but I'm no expert, either.  Here's the important stuff it contains....

```

  Port 22

  Protocol 2

  ListenAddress 127.0.0.1

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

  HostKey /etc/ssh/ssh_host_rsa_key

  HostKey /etc/ssh/ssh_host_dsa_key

#Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

  PermitRootLogin no

#StrictModes yes

  AllowGroups wheel admin

  AllowUsers chris jester

#RSAAuthentication yes

#PubkeyAuthentication yes

  AuthorizedKeysFile       .ssh/authorized_keys

#rhosts authentication should not be used

  RhostsAuthentication no

#Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

#For this to work you will also need host keys in etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

#similar for protocol version 2

#HostbasedAuthentication no

#Change to yes if you don't trust ~/.ssh/known_hosts for

#RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

#To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

#Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

#Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

#Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

#Set this to 'yes' to enable PAM keyboard-interactive authentication

#Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

#no default banner path

#Banner /some/path

#VerifyReverseMapping no

#override default of no subsystems

Subsystem        sftp        /usr/lib/misc/sftp-server
```

I don't know why it's not working, but I'm also a total n00b to Linux, so that's not surprising!  I'm not even sure what's necessary to uncomment and what's not...

Any help would be GREATLY appreciated!

Thanks!

----------

## Jester

Okay, well, actually, I just restored my original sshd_config file, and that made everything okay.  It seems that the line giving me the trouble was

```
ListenAddress 127.0.0.1
```

The minute I commented that line out and restarted the service, it would work fine.  

Now, does anybody happen to have any suggestions for me on how to edit the file for the best security/functionality?  Is X11 forwarding a huge security hole?  It kinda sounds neat, like it's a terminal server or something.

----------

## riceboy50

A point of interest in this discussion is the generation of server keys for your sshd. When I was setting up my sshd I had to read a thread (not sure where anymore) that said to add sshd into the boot runlevel and reboot. The appropriate keys (ones you have uncommented in sshd_config file) will automatically be generated by the runscript. That's how I solved my problem.

----------

## vibidoo

Well now I can not identify 

root and my wheel user are always access denied

----------

## magnuson

Is it just those two usernames or can regular user accounts conenct?  In any case I would check your /etc/passwd to make sure that those users have default shells defined.  That is, after the last colon the should be something like /bin/bash.  Like so...

magnuson:x:2537:100::/home/magnuson:/bin/bash

Replace /bin/bash with your favorite shell.

I don't think that this would prevent users in the wheel group from logging in but just for giggles you might also what to check your sshd_config file for the entry PermitRootLogin.  It defaults to "yes" so unless you changed it there shouldn't be a problem there.

----------

## vibidoo

I just have two users for testing 

The root and a wheel user .

on etc/passwd I set /bin/bash as shell .

Still have access denied

----------

## Jester

You may wanna try doing what I did and just rename your current sshd_config file and then restore your default file (provided you didn't just overwrite it) and make settings changes one line at a time, based on what you want to accomplish with it.  That way, you can narrow it down to what line specifically is causing the problem.  Just a suggestion, though...I'm by no means qualified to say, "This is what you SHOULD DO..."  heheheh

----------

## riceboy50

Here is something to try with your sshd_config:

Comment out every line except the Port, HostKey, and Subsystem lines. Then erase the current server keys and init the runlevel in which sshd resides. By erasing the current keys and restarting sshd from it's runlevel you will regenerate new keys. I also don't claim that this will work, just something to try.

----------

## doug-x07

You should also check whether your authorized_keys file is group writeable. If it is sshd will refuse to use it and refuse the connection. So change the permissions if needed.

You can get much more detailed session logging by setting the logging option in putty to Log ssh packet data and by setting in sshd_config LogLevel to VERBOSE or DEBUG. That way you'll get detailed information on why connections are being refused. 

Vibidoo are you using public key authentication or just password challenge ?

----------

