Ready to permanently give up on certificate-based SSH

rekabis

• October 29, 2014 11:34

I seem to be running into brick walls wherever I turn when trying to implement certificate-based SSH. Just to put it out there: Prior to my attempts, I had disabled root access via SSH in /etc/ssh/sshd_config, so that the only way to SSH into my server was to use a limited user account on a 4-digit port, and from there utilize either SU or SUDO to get real work done. During my attempts below I re-enabled root access in order to test out the root certs. With that said, let's cover this comedy of errors. Trying to make a certificate through WHM/cPanel itself is a non-starter. While I can get almost everything to work correctly, the final putty/kitty-compatible .ppk file is a complete no-go. For example, I go to the "Manage root"s SSH Keys" page, go to generate a new key, fill in the password (a nice long one with maximum security), choose RSA with 4096-bit length and select Generate Key. Presto - my keys are generated! But wait, I use Putty/Kitty to access my server. So I go to Private Keys and click on View/Download Key. Hey -- whattya know; there is a way to download a putty/kitty-compatible *.ppk file!! So I put in the password I used in the creation of the key, click Convert, and" nothing. Absolutely nothing. Yes, the page refreshes, but all I get is an empty (blank) textarea box with nothing to copypasta into a putty/kitty-compatible *.ppk file. And when I go into the server itself and check out ~/.ssh/ I do not see anything within that which is or can hold a *.ppk file. There is no ~/.ssh/putty/*.ppk file whatsoever for me to download and use, as some documentation would lead me to believe. Okay, so not all is lost, as I have PuttyGen and should be able to convert my keys. So I copypasta the contents of the OpenSSH Private key into NotePad++, and save as temp.ppk. I then turn to PuttyGen, and import the temp.ppk file (it immediately prompts me for the passphrase, which successfully opens up the key and which tells me I am doing it right and that the copypasta"d ppk is not corrupted). I then go to the Actions section in that window and save the *.ppk file under the name root.ppk. I then open up Kitty, and using numerous guides online I create a profile and add the *.ppk file to the correct location (Connection/SSH/Auth) and put the username (root) into the correct place (Connection/Data). I go to connect and all I get is a Window with the single string, "SSH-2.0-OpenSSH_5.3". No login, no command prompt, nothing. Keep in mind that normal password-SSH works just fine via my other account. Any attempt to reconnect to that IP address throws an error message, "Network Error: address already in use". I have to reboot my entire server to get past this error message; simply restarting the sshd service is not sufficient. So I decide that something is seriously wrong with the cPanel generated certificates, and I create my own pair locally using PuttyGen. Well, this is even more of a clusterfrack, as when I try to paste the resulting output into WHM, it refuses to accept my passphrase. Yup. No matter what I use as a passphrase (even a blank one), it refuses to accept it and refuses to upload my two keys. So I am completely stuck here. When I try to use the normal in-WHM method of creating keys, I am prevented at every turn from either generating or using a putty-compatible *.ppk file to connect. And when I try to upload a pair of certs, WHM barfs all over my attempt and says "sorry, no cookie for you". Please understand, I am hardly a n00b; I have been in the IT industry for over 15 years at this point, and I am very incredulous that something so essential to security can be so frustratingly difficult to implement in a functional way. If someone could break out the crayons and draw me a diagram of where I am going wrong, it would be greatly appreciated. Because the official docs have been followed step-for-step, and this is where I have ended up.

• 

  cPanelMichael

  • October 29, 2014 17:35

  Hello :) Please let us know if the following guide is helpful: Securing SSH Thank you.

  0
• 

  rekabis

  • October 29, 2014 19:12

  The only section which is relevant to my needs is the Advanced section, and it is missing information -- how do I convert the id_rsa into something that Putty/Kitty can use? Once again, using PuttyGen to convert it causes the same connection error as what was mentioned above. I need a foolproof method of creating a Putty/Kitty-compatible *.ppk file that will allow me to access my server without a "this certificate was rejected by the server" or the error I encountered in my OP. Using the raw id_rsa file gives me that first error, converting it causes the connection error mentioned above (a single string "SSH-2.0-OpenSSH_5.3", with any subsequent attempts on the same IP address claiming that the IP is already in use).

  0
• 

  cPanelMichael

  • October 30, 2014 15:47

  Could you open a support ticket using the link in my signature so we can take a closer look and see why that connection error is occurring? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0

Please sign in to leave a comment.