topic Re: sftp issue in Operating System - HP-UX

sftp issue

Eric Locsin — Tue, 13 Jan 2009 13:23:26 GMT

My test environment:
HP-UX 11i server using HP-UX Secure Shell
Windows 2003 server using SSH Tectia Server

I created the public/private keys with a passphrase in the HP-UX server and then converted the public key using the -i option in ssh-keygen. Afterwards I had the Windows Admin move the public key to his Windows server. When I try to start an sftp session, I receive the "PEM_read_PrivateKey failed" error message. I will then need to supply both the passhrase and the password to successfuly connect. What do I need to change to be able to sftp or scp without having to supply the passphrase or password? For now I'm trying to avoid having to install SSH Tectia on the HP-UX servers.

Here's the output of the session:

$ sftp -v sftp_user@sftpserver.com

Connecting to sftpserver.com...
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.006, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to sftpserver.com [999.999.999.999] port 22.
debug1: Connection established.
debug1: identity file /home/sshtest/.ssh/id_rsa type -1
debug1: identity file /home/sshtest/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 6.0.1.16 SSH Tectia Server
debug1: no match: 6.0.1.16 SSH Tectia Server
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2-hpn
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'sftpserver.com' is known and matches the RSA host key.
debug1: Found key in /home/sshtest/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sshtest/.ssh/id_rsa
debug1: Trying private key: /home/sshtest/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
Enter passphrase for key '/home/sshtest/.ssh/id_dsa':
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: password
sftp_user@sftpserver.com's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending subsystem: sftp

Re: sftp issue

Matti_Kurkela — Tue, 13 Jan 2009 14:35:01 GMT

The fact that your client is prompting for a passphrase indicates that your client is making an attempt to use DSA key authentication. For some reason, the server is rejecting it.

If you used the ssh-keygen command of the HP-UX Secure Shell, the correct conversion option would be -e for Export, as the key is transformed _out of_ HP-UX Secure Shell's native OpenSSH (single-line) format.

The -i (import) option on HP-UX Secure Shell ssh-keygen is for converting Tectia-style keys to HPssh's native OpenSSH format.

SSH Tectia Server uses a multi-line format for its public keys. Because of this, line termination characters may become an issue. You might have to run the "ux2dos" command on the exported public key before transferring it to the Windows system.

You should ask the Windows sysadmin to take a peek into his/her system logs (Event Viewer). The log should indicate why your key was rejected.

MK

Re: sftp issue

Eric Locsin — Tue, 13 Jan 2009 14:46:13 GMT

Sorry. I checked my notes. I did use the -e option to convert the public key. I'll ask the Windows Admin if he sees anything in his logs.

Do I need to do anything with the private key on the HP-UX server?

Re: sftp issue

Eric Locsin — Tue, 13 Jan 2009 14:55:07 GMT

I ran the "ux2dos" command on the exported public key and compared it the first one I sent to the Windows Admin. It looks like there is some formating differences at the end of the lines. I'll try using the new public key and see what happens.

Re: sftp issue

Eric Locsin — Tue, 13 Jan 2009 15:35:28 GMT

No luck. I get to ..

debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-with-mic,password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sshtest/.ssh/id_rsa
debug1: Trying private key: /home/sshtest/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type

.. and then it asks for the passphrase. Is there something that needs to be done to the private key before Tectia can accept it?