The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ready to permanently give up on certificate-based SSH

Discussion in 'Security' started by rekabis, Oct 29, 2014.

  1. rekabis

    rekabis Member

    Joined:
    Sep 19, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I seem to be running into brick walls wherever I turn when trying to implement certificate-based SSH.

    Just to put it out there: Prior to my attempts, I had disabled root access via SSH in /etc/ssh/sshd_config, so that the only way to SSH into my server was to use a limited user account on a 4-digit port, and from there utilize either SU or SUDO to get real work done. During my attempts below I re-enabled root access in order to test out the root certs.

    With that said, let's cover this comedy of errors.

    Trying to make a certificate through WHM/cPanel itself is a non-starter. While I can get almost everything to work correctly, the final putty/kitty-compatible .ppk file is a complete no-go. For example, I go to the “Manage root’s SSH Keys” page, go to generate a new key, fill in the password (a nice long one with maximum security), choose RSA with 4096-bit length and select Generate Key. Presto - my keys are generated! But wait, I use Putty/Kitty to access my server. So I go to Private Keys and click on View/Download Key. Hey -- whattya know; there is a way to download a putty/kitty-compatible *.ppk file!! So I put in the password I used in the creation of the key, click Convert, and… nothing. Absolutely nothing. Yes, the page refreshes, but all I get is an empty (blank) textarea box with nothing to copypasta into a putty/kitty-compatible *.ppk file. And when I go into the server itself and check out ~/.ssh/ I do not see anything within that which is or can hold a *.ppk file. There is no ~/.ssh/putty/*.ppk file whatsoever for me to download and use, as some documentation would lead me to believe.

    Okay, so not all is lost, as I have PuttyGen and should be able to convert my keys. So I copypasta the contents of the OpenSSH Private key into NotePad++, and save as temp.ppk. I then turn to PuttyGen, and import the temp.ppk file (it immediately prompts me for the passphrase, which successfully opens up the key and which tells me I am doing it right and that the copypasta’d ppk is not corrupted). I then go to the Actions section in that window and save the *.ppk file under the name root.ppk. I then open up Kitty, and using numerous guides online I create a profile and add the *.ppk file to the correct location (Connection/SSH/Auth) and put the username (root) into the correct place (Connection/Data). I go to connect and all I get is a Window with the single string, “SSH-2.0-OpenSSH_5.3”. No login, no command prompt, nothing. Keep in mind that normal password-SSH works just fine via my other account. Any attempt to reconnect to that IP address throws an error message, “Network Error: address already in use”. I have to reboot my entire server to get past this error message; simply restarting the sshd service is not sufficient.

    So I decide that something is seriously wrong with the cPanel generated certificates, and I create my own pair locally using PuttyGen. Well, this is even more of a clusterfrack, as when I try to paste the resulting output into WHM, it refuses to accept my passphrase. Yup. No matter what I use as a passphrase (even a blank one), it refuses to accept it and refuses to upload my two keys.

    So I am completely stuck here. When I try to use the normal in-WHM method of creating keys, I am prevented at every turn from either generating or using a putty-compatible *.ppk file to connect. And when I try to upload a pair of certs, WHM barfs all over my attempt and says “sorry, no cookie for you”. Please understand, I am hardly a n00b; I have been in the IT industry for over 15 years at this point, and I am very incredulous that something so essential to security can be so frustratingly difficult to implement in a functional way.

    If someone could break out the crayons and draw me a diagram of where I am going wrong, it would be greatly appreciated. Because the official docs have been followed step-for-step, and this is where I have ended up.
     
    #1 rekabis, Oct 29, 2014
    Last edited: Oct 29, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. rekabis

    rekabis Member

    Joined:
    Sep 19, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The only section which is relevant to my needs is the Advanced section, and it is missing information -- how do I convert the id_rsa into something that Putty/Kitty can use? Once again, using PuttyGen to convert it causes the same connection error as what was mentioned above. I need a foolproof method of creating a Putty/Kitty-compatible *.ppk file that will allow me to access my server without a “this certificate was rejected by the server” or the error I encountered in my OP. Using the raw id_rsa file gives me that first error, converting it causes the connection error mentioned above (a single string “SSH-2.0-OpenSSH_5.3”, with any subsequent attempts on the same IP address claiming that the IP is already in use).
     
    #3 rekabis, Oct 29, 2014
    Last edited: Oct 29, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look and see why that connection error is occurring? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page