Re: SSH / permissions problem

Tue, 13 Jul 2010 10:37:54 -0700 

On 07/13/2010 09:49 AM, Gary Stainburn wrote:
> Hi folks,
>
> This seems like de ja vu, but I can't find anything in the archives.
>
> I've got F13 on my laptop, and also on a new virtual server.
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server.  However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.
>
> Gary
>
> [g...@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
> r...@lcomp3's password:
> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
> [r...@lcomp3 ~]# kcalc
> [r...@lcomp3 ~]# logout
> [g...@dcomp5 ~]$ ssh -Y -C lcomp3
> g...@lcomp3's password:
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth:  timeout in locking authority file /home/gary/.Xauthority
> [g...@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [g...@lcomp3 ~]$
>
>    


When you copy over a .ssh directory, there are at least two things to 
consider:

1. permissions.
     $ scp -rp .ssh <target_host>:

2. do you really want your private key on the target system?  Probably 
all you wanted was to be able to login with ssh key authentication.  To 
do that, you should run:
    $ ssh-copy-id <target_host>:

If you allow your private key to reside on other systems, then that key 
can be used against you quite easily.  If only the public key is exposed 
in authorized_keys, your account is as secure as it can be.

Rule of thumb is: never expose a private key on a host with direct 
internet access, like a web server.  Use only one private key on your 
desktop, and use ssh-copy-id to set up public keys for any remote ssh 
access.

If you want access to those servers from another system, like a laptop, 
generate a new private key on the laptop and use ssh-copy-id again to 
enable ssh access to the other systems.

Good Luck!
-- 
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Reply via email to