topic Re: openssh client ignores public key authentication in Operating System - HP-UX

openssh client ignores public key authentication

Peter Kielbasiewicz — Wed, 18 Feb 2004 08:02:40 GMT

Hello,

I have compiled openssh 3.6.1p1 and 3.7.1p2 for HPUX 10.20 (unfortunately we can not migrate to HPUX 11xx for various reasons)
Due to some security bugs we need to use 3.7.1p2.
With 3.6.1p1 I was able to connect from HPUX via public key so that I could run non-interactive commands and logins.
With 3.7.1p2 the ssh client on HPUX completely fails to authenticate via public key.
I have attached the debug output and I would greatly appreciate if someone had a solution to my problem.

Detailed description:
The sshd daemon works OK. I can use public key authentication from Linux or Windows TO HPUX without problems.
The public/private key pair is rsa-2 and it is OK as it works between Linux systems and also FROM Linux or Windows TO my HPUX Machine.
When I try ssh FROM HPUX to other hosts or even to myself (as done in the attached example) sshd always asks for a password.
It seems that the ssh client skips the public key authentication step as can be seen from the debug output.
I even tried to enable rhost authentication but the effect was the same, the authentication step is simply skipped.

As HP-UX does not support PAM I did not use the with-pam flag for compilation.
The openssh version 3.6.1p1 does not show the described effect, i.e. I can connect from HP-UX using public key authentication without problems.

Does anybody have a clue what is going on here?

Peter Kielbasiewicz
Philips medical systems Germany

Re: openssh client ignores public key authentication

Steven E. Protter — Wed, 18 Feb 2004 08:08:49 GMT

Run through the doc I'm attaching, pay special attention to the permissions. I use cat instead of X but you get the idea.

SEP

Re: openssh client ignores public key authentication

RAC_1 — Wed, 18 Feb 2004 08:14:53 GMT

Seems it has to somewith with config files.

Is there some setting (may be in sshd_config/ssh_config file) that talks about preferred authentication method.
(This is there in HP's ssh version)

Setting this to exchange of public/private keys should resolve your problem.

Re: openssh client ignores public key authentication

Zeev Schultz — Wed, 18 Feb 2004 08:40:31 GMT

As far as I remember password was required
after ssh session for some reason passed over
public key and moved to pam authentication (which in hp-ux goes by default to /etc/password). I'd check proper libraries (~/.ssh if I'm correct) permissions.The compile flags for 3.6 and 3.7 were the same?

It could also be a matter of configuration, compare ssh_config for both 3.6 and 3.7.

Re: openssh client ignores public key authentication

Zeev Schultz — Wed, 18 Feb 2004 09:04:57 GMT

by the way this a full (i guess) page
for ssh possible authentication errors, pass over and check:

http://secu.zzu.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh/ch12_02.htm

Re: openssh client ignores public key authentication

Peter Kielbasiewicz — Wed, 18 Feb 2004 09:42:27 GMT

I am aware of critical access rights to the files and directories and they are correct.
As I said I can connect from other platforms to my HPUX sshd daemon with my private key, so there is no problem here.
For testing I just ssh to myself on my HPUX box.
When I use openssh 3.6.1p1 everything works fine so access rights and my public/private key pair must be correct.
As can be seen from the debug output openssh 3.7.1p2 just says that it did not send a packet (see below), i.e. it does not even try to use the key authentication.
The problem is definitely on the ssh side not on the sshd daemon.
I have attached my ssh_config file which is just the defaults that I got from the sources and it is the same as with 3.6.1p1.
Also I think my compilation can not have problems with library access rights as in both versions of ssh I have compiled a statically linked package so that I do not need any extra packages like zlib, openssl or tcp_wrappers.
For reference I have also attached my compile script.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply

Re: openssh client ignores public key authentication

Theodore Pardike — Thu, 19 Feb 2004 10:00:14 GMT

Peter,

I came across the same problem with HP-UX 11.00. If you search through the "List Archive" on the Openssh site, you will find that the problem you are experiencing has been an issue on HP-UX with all releases after OpenSSH_3.6.1p1.

My solution was as follows:

1. Retain OpenSSH_3.6.1p1 and implement the
patch found at
http://openssh.com/txt/buffer.adv.
2. I couldn't figure out how the HP "patch"
command worked on HP-UX, so I installed
the patch on a Linux box and copied the
source over to the HP server to compile.
Did the following on a Linux box:
cp patch.txt openssh-3.6.1p1
cd openssh-3.6.1p1
patch < patch.txt

Hope this helps (with 10.20)...

Ted