Basic network access: clients
Summary of files in ~/.ssh
In addition to the files we have discussed, you will find two other files in the ~/.ssh directory:
- known hosts contains the key fingerprints of all hosts to which you have connected. The example on page 419 shows how ssh adds a key.
- randomseed is a seed used to generate the keys.
In summary, then, you can expect the following files in your ~/.ssh:
drwx------ 2 grog grog 512 Jan 18 21:04 . directory -rw-r--r-- 1 grog grog 1705 Oct 26 1999 authorized keys keys -rw-r--r-- 1 grog grog 844 Jan 27 22:18 authorized keys2 keys, Version 2 only -rw-r--r-- 1 grog grog 25 Oct 20 01:35 environment environment for sshd -rw------- 1 grog grog 736 Jul 19 15:40 id dsa DSA private key -rw-r--r-- 1 grog grog 611 Jul 19 15:40 id dsa.pub DSA public key -rw------- 1 grog grog 951 Jul 19 15:40 id rsa RSA private key -rw-r--r-- 1 grog grog 231 Jul 19 15:40 id rsa.pub RSA public key -rw------- 1 grog grog 536 Jul 19 15:39 identity RSA1 private key -rw-r--r-- 1 grog grog 340 Jul 19 15:39 identity.pub RSA1 public key -rw------- 1 grog grog 1000 Jul 25 1999 known hosts list of known hosts -rw------- 1 grog grog 512 Jul 25 1999 random seed for key generation
Note particularly the permissions and the ownership of the files and the directory itself. If they are wrong, ssh won't work, and it won't tell you why not. In particular, the directory must not be group writeable.
Troubleshooting ssh connections
A surprising number of things can go wrong with setting up ssh connections. Here are some of the more common ones:
- After some delay, you get the message:
ssh: connect to address 223.147.37.76 port 22: Operation timed out
This probably means that the remote host is down, or that you can't reach it due to network problems.
- You get the message:
This means that the remote host is up, but no sshd is running.
ssh: connect to address 223.147.37.65 port 22: Connection refused
- You have set up keys, but you still get a message asking for a password.
This can mean a number of things: your ssh-agent isn't running, you haven't added the keys, the other end can't find them, or the security on the keys at the other end is incorrect. You can check the first two like this:
$ ssh-add -l Could not open a connection to your authentication agent.
This message means that you haven't run ssh-agent. Do it like this:
$ eval ‘sh-agent’ Agent pid 95180 $ ssh-add -l The agent has no identities. $ ssh-add Enter passphrase for /home/grog/.ssh/id_rsa: no echo Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa) Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa) Identity added: /home/grog/.ssh/identity (grog@freebie.lemis.com) $ ssh-add -l 1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1) 1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA) 1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)
In this case, all three keys are set correctly. If you have, say, only an RSA1 (protocol Version 1) key, and the other end doesn't support protocol Version 1, ssh will ask for a password.
- You get a message like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMDTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the DSA host key has just been changed. The fingerprint for the DSA key sent by the remote host is 95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68. Please contact your system administrator. Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message. Offending key in /home/grog/.ssh/known_hosts2:39
There are two possible reasons for this message. As the message states, one is that somebody is trying to intercept the connection, and the other one is that the remote system has changed its host key. The latter is by far the more common. To fix this problem, you have two choices:
- Edit your ~/.ssh/known_hosts2 file and remove references to the remote system. The message suggests changing line 39, but you might have more than one key for this system in this file. If one is wrong, there's a good chance that any others will be too, so you should remove all references.
- Add the following line to your ~/.ssh/config file:
StrictHostKeyChecking no
It doesn't remove the warning, but it allows you to connect anyway.
ssh includes debugging options that may help debug problems setting up connections. Use the -v option, up to three times, to get ssh to display largely undocumented information about what is going on. The output is pretty verbose; with three -v options you get nearly 200 lines of information.