Do SSH keys function at all?

I got SSH to work just fine with Musicbox. I wanted however to make this a bit more secure with SSH keys. Is that possible at all?! I did try to create a .SSH directory and put there an “authorized_keys” file with a public key. It seemed though that Musicbox is completely oblivious to that.

the folder should be named “.ssh”, not “.SSH”

Sure. The post was inaccurate. The folder was named correctly: .ssh.
So, authorized_keys and Musicbox should work together?
How can I figure out why is it not working for me?

hmm, if You can ssh to the musicbox i don’t see why it would be impossible to use ssh keys. Could you paste ssh logs from the musicbox and output of ssh login command that is failing ?

It works just fine, I guess you have set it up incorrectly. I suggest you:

  1. Login to musicbox normally and delete whatever .ssh/.SSH folders you have created
  2. logout
  3. on the other machine, run ssh-copy-id root@musicbox and follow the simple instructions.

Kingosticks, I am not sure what you meant with “on the other machine”. In my setting there are basically 2 machines: one running Musicbox and a Windows machine running PuTTY.

I wrongly assumed your other machine was running Linux. I have no idea how to create a public/private keypair on Windows but presumably you do.

I think the only thing to say is that you must ensure that on musicbox ~/.ssh has permission 700 and ~/.ssh/authorized_keys has permission 600. This is important.

Permissions were set correctly. My keypair is also Ok, I have used it before.

One of the symptoms I’ve encountered, is that I cannot connect to my port of choice (which I set in /etc/ssh/sshd_config to something different from 22, according to a manual I had used before). When I use the changed value to establish connection I am getting “connection timeout” messages. However, port 22 still gets me through (although no SSH key is required).

I began to suspect I was editing the wrong config file. Strangely enough I was able to locate 2 config files in /etc/ssh with very similar names: sshd_config and ssh_config. The other file (which I did not edit) has a “Port 22” line (though commented). So far I left ssh_config unchanged.
Could that be the root of my problem?

I would be happy to provide log files (as mczerski suggested) in case they are needed, but wouldn’t know how to produce them.

There is a firewall that blocks everything but the ports defined in /etc/firewall so you’d have to open the extra port.

And also, we don’t use open ssh server, we use dropbear. The config for that lives in /etc/default/dropbear (I think).

A log file might help, on linux you would do ssh -v root@musicbox but I don’t know the equivalent for putty.

It would be good to know all the changes you have made here and ideally just change one thing at a time.

Hey kingosticks, you’re doing a great job here. My poor knowledge of Linux will require me some learning before I can add a new port to iptables. I was naïve enough to think I could just edit this with nano…
I chose to make SSH keys my top priority but could find very little to educate me on Dropbear. I gather it uses authorized_keys just as Open SSH does. The Dropbear config file looks pretty lean on options, and I couldn’t really make out what should I be changing there (if anything). The Project webpage by Matt Johnston also did not hold too much info. I’d be grateful for any reference to Dropbear “How-To’s”.

Sorry for the late reply. Adding a port is really very simple if you modify what’s there already. Just identify port 22 in the firewall file and and swap it for whatever port you want. You don’t have to get too much into iptables (which is not a fun task).

The dropbear config is indeed very sparse, it doesn’t have much of the configurability of open-ssh. But it does have a listen port setting so changing that and restarting dropbear should be sufficient (assuming you’ve opened that same port on the firewall).

Dropbear should be 100% compatible with open-ssh authorized_keys in ~/.ssh/. ssh-copy-id (my original suggestion) is actually part of open-ssh but since it’s all compatible it just works exactly the same. There are various guides for using Dropbear with ssh keys online but most of them are focused on dropbear as the client, a situation where the keys are not compatible and must be converted, which isn’t relevant here. Another one I remember seeing was trying to put the authorized_keys in some weird other directory, no idea where they got that from.

Putty must have a verbose mode, that would help you here. Perhaps output the full .ssh directory listing I.e ls -l ~/ also.

Don’t worry about it, I was also tied up lately with other projects.
So, I think I managed to add the desired port to iptables but was not able to make changes stick.
I tried using:
/sbin/service iptables save

but that gave me:
-bash: /sbin/service: No such file or directory

With SSH had so far also little success. I could verify that my keys do exist in /.ssh/authorized_keys, but it seems they go ignored as I could login without specifying any private key. I followed up on your suggestion and ran ssh -v root@musicbox. Here is what I got:

Any clues?

What exactly is that a log of? You seem to logged into musicbox somehow (ssh with a password?) and then you are trying to login to the local machine. I thought you were logging in from your Windows machine. This wasn’t the use case I was expecting. Have I missed something?

I log on from PuTTY running on a Windows machine. When prompted I type in “root” and “Musicbox” as User & Password. The private keys are on a USB Stick connected the PC where PuTTY is running. However, they never come into play. That’s really one of my problems. I could remove this stick and still logon.

The log I pasted is the result of me running ssh -v root@musicbox in the PuTTY window in this PC, while connected to Musicbox with root/Musicbox.

Does it make sense?

Right OK. I’m not sure that connecting to musicbox from musicbox is a useful thing to get working, because it is not what we are actually trying to do. It looks like you can make putty give you some logging information: