topic Re: Problem with rsa key access in Operating System - HP-UX

Problem with rsa key access

AsKZ — Thu, 14 Sep 2006 23:06:39 GMT

Hi all, please, please, help me to resolve next problem:

itanium@root #uname -a
HP-UX itanium B.11.23 U ia64 0685126137 unlimited-user license
itanium@root #ssh -v
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.015, HP-UX Secure Shell version

itanium@root #ssh-keygen -t rsa
Generating public/private rsa key pair.
Please be patient.... Key generation may take a few minutes
Enter file in which to save the key (//.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
f5:0b:67:42:42:17:b3:5b:a6:b0:79:94:12:6e:0a:d9 root@itanium
itanium@root #ll
total 48
-rw------- 1 root sys 1675 Sep 14 22:02 id_rsa
-rw-r--r-- 1 root sys 394 Sep 14 22:02 id_rsa.pub
-rw-r--r-- 1 root sys 686 Sep 8 03:25 known_hosts
itanium@root #cp id_rsa.pub authorized_keys
itanium@root #ll
total 64
-rw-r--r-- 1 root sys 394 Sep 14 22:02 authorized_keys
-rw------- 1 root sys 1675 Sep 14 22:02 id_rsa
-rw-r--r-- 1 root sys 394 Sep 14 22:02 id_rsa.pub
-rw-r--r-- 1 root sys 686 Sep 8 03:25 known_hosts

itanium@root #ssh -v itanium
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.015, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to itanium [192.168.1.223] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2-hpn
debug1: match: OpenSSH_4.3p2-hpn pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2-hpn
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'itanium' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
Password:
itanium@root #

So, trusts not working.
How additional information i must attach to resolve this problem?
Really problem with more 2 hosts, for best example, i attach info about one host.

Re: Problem with rsa key access

Mel Burslan — Fri, 15 Sep 2006 00:08:13 GMT

chmod 640 authorized_keys
chmod 700 ~root/.ssh

then try it again. sshd is very picky about the permissions of the .ssh directory and the authorized_keys file.

hope this helps.

Re: Problem with rsa key access

Rajeev Shukla — Fri, 15 Sep 2006 00:22:18 GMT

Yes thats right ssh doesn't behave well if the permissions are incorrect
have your ~root/.ssh/authorized_keys to 600 and ~root/.ssh to 700
Also look at the messages in syslog for more info

Re: Problem with rsa key access

AsKZ — Fri, 15 Sep 2006 01:27:26 GMT

itanium@root #ll -d /.ssh/ /.ssh/authorized_keys
drwx------ 2 root sys 8192 Sep 14 22:06 /.ssh/
-rw------- 1 root sys 394 Sep 14 22:06 /.ssh/authorized_keys
itanium@root #
itanium@root #ssh -v itanium
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.015, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to itanium [192.168.1.223] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2-hpn
debug1: match: OpenSSH_4.3p2-hpn pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2-hpn
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'itanium' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
Password:
itanium@root #

Re: Problem with rsa key access

Mel Burslan — Fri, 15 Sep 2006 13:45:02 GMT

could you possibly cut-n-paste the output of this command :

grep -v ^# /opt/ssh/etc/sshd_config

Re: Problem with rsa key access

AsKZ — Mon, 18 Sep 2006 00:25:26 GMT

root@sgds3# grep -v ^# /opt/ssh/etc/sshd_config | strings
Protocol 2
HostKey /opt/ssh/etc/ssh_host_key
HostKey /opt/ssh/etc/ssh_host_rsa_key
HostKey /opt/ssh/etc/ssh_host_dsa_key
KerberosAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
X11Forwarding yes
X11UseLocalhost no
UseDNS no
Subsystem sftp /opt/ssh/libexec/sftp-server

Re: Problem with rsa key access

AsKZ — Mon, 18 Sep 2006 00:38:39 GMT

Sorry, previous information about another host. For original host, next configuration:

itanium@root #grep -v ^# /opt/ssh/etc/sshd_config | strings
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
KerberosAuthentication yes
UsePAM yes
X11Forwarding yes
X11UseLocalhost no
Subsystem sftp /opt/ssh/libexec/sftp-server

itanium@root #grep -v ^# /opt/ssh/etc/ssh_config | strings
RSAAuthentication yes
PasswordAuthentication yes
HostbasedAuthentication no
IdentityFile ~/.ssh/id_rsa
Protocol 2

Thanks for answers, i`m already resolve problem.

Re: Problem with rsa key access

AsKZ — Mon, 18 Sep 2006 00:46:51 GMT

One of previous administrators.. Set owner for "/" another of "root" user.

Thank`s for all )