having some trouble using another user's RSA/DSA keys
Jim Breton
jamesb-lists at alongtheway.com
Wed Oct 25 12:08:09 EST 2000
Debian GNU/Linux 2.2 (potato), openssh-2.2.0p1
Configured with: --prefix=/usr/local/openssh --enable-gnome-askpass
--with-tcp-wrappers --with-ipv4-default --with-ipaddr-display
My goal here is to, as root, forward a local privileged port over an
ssh tunnel to another host using a normal user's login, i.e.:
root:# ssh -2 -l jamesb -i ~jamesb/.ssh/id_dsa -L 26:localhost:25 remotehost
So far, I am finding it impossible or impractical to do this. Am I doing
something wrong? Here's a description of my experiences:
1) First I tried it as shown above, specifying the unprivileged user's
key on the command line with the -i switch. But for some reason I was
still prompted for the password. So, then I try it with the -v option
and observe this:
# ssh -v -2 -l jamesb -i ~jamesb/.ssh/id_dsa <remotehost>
::snip::
debug: key does not exist: /root/.ssh/id_dsa
Note that it is _still_ trying to use root's id_dsa key (root does not
actually have one) despite my -i argument on the command line.
2) Next I tried specifying jamesb's dsa key in ~root/.ssh/config:
IdentityFile2 ~jamesb/.ssh/id_dsa
Then I got the following output:
debug: try pubkey: /home/jamesb/.ssh/id_dsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Bad ownership or mode(0600) for '/home/jamesb/.ssh/id_dsa'.
It is recommended that your private key files are NOT accessible by
others.
Enter passphrase for DSA key '/home/jamesb/.ssh/id_dsa':
I believe those warnings about invalid permissions on the key file to
be in err, considering I can read everything as root anyway. Also, I
was forced to supply the passphrase for the key. The passphrase in this
case is blank, and after hitting Enter, I was told that this is invalid
and then was prompted for the login password (which succeeded).
3) The last thing I have tried is to make a copy of jamesb's dsa key and
put it in ~root/.ssh/id_dsa. This works, but it is not reasonable to have
to do this for my needs.
I should also note that on a friend's machine, using the Debian package
of OpenSSH version/build 1.2.3-9, I do not have this problem. I can
connect to that same remote host as root, using another user's key login,
without all this hassle.
Thanks for any help!
More information about the openssh-unix-dev
mailing list