Hi Jacques,
Your guide highlighted a silly error where I had accidentally chopped
some of the trailing characters of the appropriate keygrip in
sshcontrol (Doh!). BTW I am using GnuPG 2.1.9
That's hard to spot... "Is this jumble of characters the same as the
one I just saw?"
I can now successfully get the response to ssh-add -L as expected.
Great!
Yep!
Anything there I am perhaps missing?
Is the server and the user account configured to accept authorized
keys? Are the permissions on ~/.ssh acceptable?
Do you have administrative access to a server in question? The
configuration for sshd can configure different authentication
possibilities to be offered, even per-user (or per-IP range).
But perhaps more likely is that ~/.ssh doesn't have the correct
permissions. If you have access to sshd's log: it will likely complain
verbally in the log about permission errors, even though you as a client
don't see it.
From the sshd manpage:
~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
for logging in as this user. The format of this file is
described above. The content of the file is not highly sensi‐
tive, but the recommended permissions are read/write for the
user, and not accessible by others.
If this file, the ~/.ssh directory, or the user's home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not
allow it to be used unless the StrictModes option has been set to
“no”.
A good permission for ~/.ssh is 700. authorized_keys can be 755 or
less[1]. From the way the manpage is phrased, one would think one's home
directory can't be 775, even though that actually might make sense in
some setups. But if you don't want to be able to appoint people with
write permission, keep it on 755 or less. I think 755 is quite common;
750, 710 and 700 make sense as well.
HTH,
Peter.
[1] Less permissions, not numerically less. Don't go saying "677 is
less"! :)
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
<http://digitalbrains.com/2012/openpgp-key-peter>
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
