topic Re: Differences between SSH versions on HP-UX 11iv2 in Operating System - HP-UX

Differences between SSH versions on HP-UX 11iv2

Jamie A Dennis — Thu, 26 Mar 2009 13:05:19 GMT

Hello,

I've seen several threads similar to this, but nothing addressing this specifically.

We have an HP-UX 11.23 server which serves as a jump server to other HP-UX servers. This server runs Tectia SSH:

server_a# ssh -V

ssh: SSH Tectia Server 4.1.0 on
Build: 34
Released 2004-06-07 (YYYY-MM-DD).
Crypto library version: SSH Cryptographic Library, version 1.2.4
FIPS certification mode: DISABLED
Product: SSH Tectia Server

This server CAN ssh without password to other servers in the environment which are running this version of SSH:

server_b# ssh -V

OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.50.021, HP-UX Secure Shell version

and works on this version:
server_d# ssh -V
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.007, HP-UX Secure Shell version

but it can NOT ssh without password to servers running this version:

server_c# ssh -V

OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1, OpenSSL 0.9.7m 23 Feb 2007
HP-UX Secure Shell-A.05.00.022, HP-UX Secure Shell version

What we see when we ssh from server_a to server_c is the following: (using ssh -vvv server_c)

debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1766: Starting pubkey auth...
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1722: Agent is not running.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1513: Got 0 keys from the agent.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1293: Trying to add external certificate, key count = 0.
debug: SshUnixUserFiles/sshunixuserfiles.c:366: Using '/.ssh2/identification' as identity file.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1634: adding keyfile "/.ssh2/admin" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1634: adding keyfile "/.ssh2/admin_openssh" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1493: Trying 2 key candidates.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:876: All keys declined by server, disabling method.
debug: SshProtoAuthClient/sshauthc.c:317: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPasswdClient/authc-passwd.c:247: Starting password query...
root's password:

Nothing has changed with server_a or server_b. We use the same keys to distribute to other servers to enable "trusted root", and it has worked great until we got the release of SSH that server_c is using. I don't think it is a permissions problem as the perms are the same on the working and non-working.

Has anyone else experienced this situation? If so, what advice can you give on this?

Thanks, and best regards,

Jamie

Re: Differences between SSH versions on HP-UX 11iv2

Ganesan R — Thu, 26 Mar 2009 13:18:16 GMT

Hi,

Though you confirmed not the permission issue, did any chance the SSH version changed the existing permissions?

Could you verify the following permissions?

Home directory should have 755 permission (users home directory)
$HOME/.ssh directory should have 700 permission
$HOME/.ssh/authorized_keys file should have 600 permission

Re: Differences between SSH versions on HP-UX 11iv2

Steven E. Protter — Thu, 26 Mar 2009 13:23:56 GMT

Shalom,

These problems are typically ownership/permission issues on the configuration files in .ssh directory or the directory itself.

The following document contains the information you need to correct this:
http://www.hpux.ws/?p=10

I have never used the third party server you also tried, because openssh (HP calls it secure shell) has always worked just fine for me.

SEP

Re: Differences between SSH versions on HP-UX 11iv2

Jamie A Dennis — Thu, 26 Mar 2009 13:32:10 GMT

As I mentioned in my post, the permissions are the same on both the working and non-working servers, so I don't think this is a permissions issue. I believe it to be a problem with ssh version : HP-UX Secure Shell-A.05.00.022, HP-UX Secure Shell version. All servers which are having this issue are using this version, all others are working fine.

Re: Differences between SSH versions on HP-UX 11iv2

Ivan Krastev — Thu, 26 Mar 2009 13:38:38 GMT

Check sshd_config files for the key authentication methods. See in log:
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:876: All keys declined by server, disabling method.
debug: SshProtoAuthClient/sshauthc.c:317: Method 'publickey' disabled.

regards,
ivan

Re: Differences between SSH versions on HP-UX 11iv2

Ivan Krastev — Thu, 26 Mar 2009 13:43:49 GMT

And see this in the release notes here - http://docs.hp.com/en/T1471-90032/ch01s06.html

HP-UX Secure Shell user authentication using public-key fails in a server environment if UsePAM is set to YES and pam.conf is set to PAM_LDAP.

Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell environments that use public-key authentication with PAM_LDAP-based account management.

regards,
ivan

Re: Differences between SSH versions on HP-UX 11iv2

Jamie A Dennis — Thu, 26 Mar 2009 17:38:55 GMT

Ok, I sit corrected. Ganesan, you had the right solution, and Stephen, you were correct as well.

My apologies for doubting the solution. I was so focused on the .ssh2 directory permissions and the files themselves that I overlooked item 1 on your list.

1. Home directory should have 755 permission (users home directory)
2. $HOME/.ssh directory should have 700 permission
3. $HOME/.ssh/authorized_keys file should have 600 permission

The KEY item in your solution was the users home directory. I changed it to 755 (with NO other changes) and ssh worked from my jump server to server_c. I changed the perms back to 775, it failed.

I'm a little puzzled as to why that item is the key to the entire solution, especially when you can see in the debug that it adds the files to the list of candidates, but then fails due to permissions on the users home directory. But what the heck, a solution is a solution.

Re: Differences between SSH versions on HP-UX 11iv2

Jamie A Dennis — Thu, 26 Mar 2009 17:41:59 GMT

Thanks to all who answered this thread. Cheers!