topic Re: SSH Version 3.71 Again in Operating System - HP-UX

SSH Version 3.71 Again

Ryan B — Tue, 18 May 2004 16:48:30 GMT

Hello~

Just going got done with my first install of SSH and I have another question. I created a key pair and copied the public key to the server I am trying to go to under the user name. I see in another post if I use key authentication and have .shosts configured I can do an scp withouth having to enter a password. Well, it's not working and I am wondering if anyone has an ideas. I don't care it's not recommended to not have a a password because we are just trying to learn it at this point...

Thanks,

Ryan

Re: SSH Version 3.71 Again

Sridhar Bhaskarla — Tue, 18 May 2004 17:26:44 GMT

Ryan,

RhostsAuthentication is a deprecated option for 3.7. So, I don't think it works anymore. But I haven't verified it on 3.7.1p1 as it is against our site policies.

There are couple of ways to go around the "passphrase" issue. One is less secured - Generate a key pair without a passphrase. For ex.,

$ssh-kehgen -t dsa -N ""

Then copy the id_dsa.pub to the remote host and append/copy it to $HOME/.ssh/authorized_keys file.

Then when you try ssh/scp/sftp, they shouldn't prompt for password.

The next one, more secured is to generate the key pair with a passphrase

$ssh-keygen -t dsa

It will prompt you to enter a pass-phrase. Again copy id_dsa.pub onto the remote host like the above. But this time, when you do ssh/scp/sftp, it will ask for the passphrase. Once supplied, it should let you login.

In this case, since again it is another level of interaction, you can read it into your memory using the following commands.

$ssh-agent > /home/user/.ssh/ssh-agent.conf
$ssh-add /home/user/.ssh/id_dsa
$. /home/user/.ssh/ssh-agent.conf
$ssh remote_host

Subsequent ssh sessions shouldn't ask you for either passphrase or passwords. But that's valid only for that terminal session. For a new terminal, you would need to run
$. /home/user/.ssh/ssh-agent.conf

Once you are done, kill the ssh-agent processes running on the system.

-Sri

Re: SSH Version 3.71 Again

Ryan B — Wed, 19 May 2004 08:07:40 GMT

Hey Sri~

Thanks for the reply. I will try this and reply with further questions

Ryan

Re: SSH Version 3.71 Again

Ryan B — Wed, 19 May 2004 09:00:18 GMT

Sri~

Thanks for the help, but it still is prompting for a password on scp.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

It is doing next authentication method: keyboard-interactive and I am wondering if there is a way to not have keyboard interaction????

I would like to use HP's version, but as you mentioned the shosts functionality probably won't work with this version...I will keep testing this and thanks for the help

Re: SSH Version 3.71 Again

Sridhar Bhaskarla — Wed, 19 May 2004 09:21:35 GMT

Ryan,

A good way to find the reason why the public/private key authentication is not working is to turn on the debugging on the server side on sshd daemon.

Stop the 'sshd' process on the remote host. Start it with -d switch.

#/opt/openssh/sbin/sshd -d (point to wherever it is installed

Then try connecting to the remote host and observe the debugged output on the server's sshd daemon.

It's most probably permissions on the home directory of the user on the remote host. To verify it, set the permissions to 700 and go from there. Or make "StrictModes no" in the sshd_config, restart sshd and try it again.

-Sri

Re: SSH Version 3.71 Again

Steven E. Protter — Wed, 19 May 2004 10:08:23 GMT

I'm attaching a document that may help with this matter. Its been very useful to me in the past. I no longer use X windows for the edits, I use cat and other commands.

Permissions should be checked.

SEP

Re: SSH Version 3.71 Again

Ryan B — Wed, 19 May 2004 10:27:29 GMT

Sri~

Thanks! The StrictMode = no with the public keys did what I needed. However, one more question becuase it was complaining about the permissions as you mentioned, what is it expecting for permissions on /userhome and ~/.ssh? Also, what ownership??

Thanks Again

Re: SSH Version 3.71 Again

Sridhar Bhaskarla — Wed, 19 May 2004 10:38:08 GMT

Hi Ryan,

If the "StrictMode" is set to yes, then sshd will look for potential permissions issues with the home directory and .ssh directories of the user logging in.

The home directory should be owned by it's user with maximum permissions of 755. You will be able to determine the files/directories that violated the permissions from the sshd -d output.

These are the good things that are offered by ssh.

-Sri

PS: Since you are experimenting with ssh, I would suggest you try all the options and see how they work. There is a good documentation at openssh.org website.

Re: SSH Version 3.71 Again

Ryan B — Wed, 19 May 2004 12:51:55 GMT

Sri or Anyone that is still monitoring this post...

The $ssh-keygen -t dsa -N "" worke for what I was testing, but I know installed the Strong Random Number Generator for this 11i version 1 system. If I use the keygen mentioned, does it still create a key with the Random Number Generator or does the Random Number Generator do me no god with this type of keygen? I hope that makes sense...

Thanks again for all the help!

Re: SSH Version 3.71 Again

Sridhar Bhaskarla — Wed, 19 May 2004 13:46:46 GMT

Ryan,

You will get your answer when you run "ssh -vvv remotehost". In short it is YES.

For the systems that do not have KRNG installed, it will generate the seed using the commands in the file ssh-rand-helper which will is slower.

$ssh -vvv remote_host
...
debug1: Reading configuration data /opt/openssh2/etc/ssh_config
debug3: Seeding PRNG from /opt/openssh2/libexec/ssh-rand-helper

*****In the above you will see it waiting for sometime********

debug2: ssh_connect: needpriv 0
..

With KRNG installed, the random string will be readily available from the random device and the response will be almost instant.

$ssh -vvv remote_host
...
debug1: Reading configuration data /opt/openssh2/etc/ssh_config
debug3: RNG is ready, skipping seeding

*** See the above, it's immediate ****

debug2: ssh_connect: needpriv 0
..

-Sri

Re: SSH Version 3.71 Again

Steven E. Protter — Wed, 19 May 2004 13:59:41 GMT

When compared with an 11.00 system without the strong random number generator to an 11.11 system with the generator, the effect seems pretty dramatic.

You get the numeric data you need faster, boosting performance.

There strong random generator helps in a number of ways, increasing the randomness in testing. There is no downside that I know of.

SEP

Re: SSH Version 3.71 Again

Ryan B — Thu, 20 May 2004 08:06:04 GMT

Thanks again for all your help. I am sure I will have further questions, but I will open a new post if that is the case.

Thanks Again,

Ryan