Basic network access: clients

Summary of files in ~/.ssh

In addition to the files we have discussed, you will find two other files in the ~/.ssh directory:

• known hosts contains the key fingerprints of all hosts to which you have connected. The example on page 419 shows how ssh adds a key.
• randomseed is a seed used to generate the keys.

In summary, then, you can expect the following files in your ~/.ssh:

drwx------  2  grog  grog   512  Jan  18  21:04  .                 directory
-rw-r--r--  1  grog  grog  1705  Oct  26   1999  authorized keys   keys
-rw-r--r--  1  grog  grog   844  Jan  27  22:18  authorized keys2  keys, Version 2 only
-rw-r--r--  1  grog  grog    25  Oct  20  01:35  environment       environment for sshd
-rw-------  1  grog  grog   736  Jul  19  15:40  id dsa            DSA private key
-rw-r--r--  1  grog  grog   611  Jul  19  15:40  id dsa.pub        DSA public key
-rw-------  1  grog  grog   951  Jul  19  15:40  id rsa            RSA private key
-rw-r--r--  1  grog  grog   231  Jul  19  15:40  id rsa.pub        RSA public key
-rw-------  1  grog  grog   536  Jul  19  15:39  identity          RSA1 private key
-rw-r--r--  1  grog  grog   340  Jul  19  15:39  identity.pub      RSA1 public key
-rw-------  1  grog  grog  1000  Jul  25   1999  known hosts       list of known hosts
-rw-------  1  grog  grog   512  Jul  25   1999  random seed       for key generation

Note particularly the permissions and the ownership of the files and the directory itself. If they are wrong, ssh won't work, and it won't tell you why not. In particular, the directory must not be group writeable.

Troubleshooting ssh connections

A surprising number of things can go wrong with setting up ssh connections. Here are some of the more common ones:

• After some delay, you get the message:

  ssh: connect to address 223.147.37.76 port 22: Operation timed out
  

  This probably means that the remote host is down, or that you can't reach it due to network problems.
• You get the message:

  ssh: connect to address 223.147.37.65 port 22: Connection refused
  

  This means that the remote host is up, but no sshd is running.
• You have set up keys, but you still get a message asking for a password.

  This can mean a number of things: your ssh-agent isn't running, you haven't added the keys, the other end can't find them, or the security on the keys at the other end is incorrect. You can check the first two like this:

  $ ssh-add -l
  Could not open a connection to your authentication agent.
  

  This message means that you haven't run ssh-agent. Do it like this:

  $ eval ‘sh-agent’
  Agent pid 95180
  $ ssh-add -l
  The agent has no identities.
  $ ssh-add
  Enter passphrase for /home/grog/.ssh/id_rsa:    no echo
  Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa)
  Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa)
  Identity added: /home/grog/.ssh/identity (grog@freebie.lemis.com)
  $ ssh-add -l
  1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1)
  1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA)
  1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)
  

  In this case, all three keys are set correctly. If you have, say, only an RSA1 (protocol Version 1) key, and the other end doesn't support protocol Version 1, ssh will ask for a password.
• You get a message like this:

  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMDTE HOST IDENTIFICATION HAS CHANGED!    @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that the DSA host key has just been changed.
  The fingerprint for the DSA key sent by the remote host is
  95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68.
  Please contact your system administrator.
  Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message.
  Offending key in /home/grog/.ssh/known_hosts2:39
  

  There are two possible reasons for this message. As the message states, one is that somebody is trying to intercept the connection, and the other one is that the remote system has changed its host key. The latter is by far the more common. To fix this problem, you have two choices:

  1. Edit your ~/.ssh/known_hosts2 file and remove references to the remote system. The message suggests changing line 39, but you might have more than one key for this system in this file. If one is wrong, there's a good chance that any others will be too, so you should remove all references.
  2. Add the following line to your ~/.ssh/config file:

     StrictHostKeyChecking no
     

     It doesn't remove the warning, but it allows you to connect anyway.

ssh includes debugging options that may help debug problems setting up connections. Use the -v option, up to three times, to get ssh to display largely undocumented information about what is going on. The output is pretty verbose; with three -v options you get nearly 200 lines of information.