topic Re: SSH Tectia Server 4.2 in Operating System - HP-UX

SSH Tectia Server 4.2

lagoda — Fri, 23 Mar 2007 09:56:05 GMT

Hi,
I have HP-UX zuz B.11.11 U 9000/800 and sshd
SSH Tectia Server 4.2
I have problem with login on this machine without password. I use puttygen 0.59 and putty 0.59. Generated public key, put ftp to the server ~/.ssh/ with name authorization.
chmod for .ssh is 755 and for the authorization file I try 755, 600, 400, and even 777 on the putty I have "Server refused our key"

This is sshd_conf:
## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server 4.2 Configuration File
##

## General

# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# RandomSeedFile random_seed
# BannerMessageFile /etc/ssh2/ssh_banner_message
BannerMessageFile /etc/issue
#
# VerboseMode no
QuietMode yes
# SyslogFacility AUTH
# SyslogFacility LOCAL7
# SftpSyslogFacility LOCAL7

## Network

# Port is not commented out, as it is needed by the example startup
# scripts. Well, the default will not likely change.
Port 22
# ListenAddress any
# ResolveClientHostName yes
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
# KeepAlive yes
# MaxConnections 50
# MaxConnections 0
# 0 == number of connections not limited

## Crypto

# Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes "none" 'cipher':
# Ciphers AnyStd
#
# MACs AnyMAC
# MACs AnyStdMAC
# Following includes "none" 'mac':
# MACs AnyStd
#
# RekeyIntervalSeconds 3600

## User

# PrintMotd yes
CheckMail no
# StrictModes yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
# minute, 's' for seconds)
# IdleTimeOut 1h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
#
# UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/etc/ssh2/auth/%U"
# AuthorizationFile authorization
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ

## Tunneling

# AllowX11Forwarding yes
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, ra-user@remote\.example
# DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
#
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
# ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
# ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*

## Authentication
## publickey and password allowed by default

# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
AllowedAuthentications hostbased,publickey,keyboard-interactive,password
# RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
#
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
# AllowAgentForwarding yes
#
# Cert.RSA.Compat.HashScheme md5

# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional pam,password
AuthKbdInt.Required pam
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
#
# PermitEmptyPasswords yes
# PasswordGuesses 3

# CertdListenerPath /var/run/ssh-certd-listener

# Ignoring certain restrictions during user login: password expiration
# on AIX, HP-UX in trusted mode, Windows, and rlogin prohibition
# (for root account) on AIX.

# IgnoreLoginRestrictions.PasswordExpiration no
# IgnoreLoginRestrictions.Rlogin.AIX no

# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line (note that you need
# the binary packages or you have had to configure the source
# --with-passwd-plugin (only available on limited set of architectures)):

# AuthPassword.ChangePlugin ssh-passwd-plugin

# (this will also be used by the "password" submethod in
# keyboard-interactive).

# To enable SecurID plugins (if available for your architecture),
# uncomment either of the following lines

# AuthKbdInt.Plugin ssh-securidv5-plugin
# AuthKbdInt.Plugin ssh-securidv4-plugin

# depending on your RSA ACE version. Also, you need to set the
# VAR_ACE environment variable to point to your ACE data directory
# before restarting sshd2.

# You also need to enable the "plugin" submethod for
# keyboard-interactive (use either "AuthKbdInt.Required" or
# "AuthKbdInt.Optional" configuration keywords for this purpose).

## Host restrictions

# AllowHosts localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
## AllowHosts t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
## AllowHosts \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
## AllowHosts \m127.0/8
## and
## AllowHosts \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
# DenyHosts evil\.example, aol\.example
# AllowSHosts trusted\.host\.example
# DenySHosts not\.quite\.trusted\.example
# IgnoreRhosts no
# IgnoreRootRHosts no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions

# AllowUsers sj.*,s[[:digit:]]*,s(jl|amza)
# DenyUsers skuuppa,warezdude,31373
# DenyUsers don@example\.org
# AllowGroups staff,users
# DenyGroups guest,anonymous
# PermitRootLogin yes
# PermitRootLogin nopwd

## Chrooted environment

# ChRootUsers anonymous,ftp,guest
# ChRootGroups sftp,guest

## SSH1 compatibility

# Ssh1Compatibility no
# Sshd1Path
#
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
# Sshd1ConfigFile /etc/sshd_config_alternate

## Subsystem definitions

# Subsystems do not have defaults, so this is needed here (uncommented).
subsystem-sftp sftp-server
# Also internal SFTP subsystem can be used.
# subsystem-sftp internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.

# Following matches (from) any host:
#
# HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is sjl and belong to group wheel or wheel[0-9]:
#
# UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /etc/ssh2/subconfig/user.example
#
# Following matches to the user anonymous from any host:
#
# UserSpecificConfig anonymous@.* /etc/ssh2/subconfig/anonymous.example

Re: SSH Tectia Server 4.2

Steven E. Protter — Fri, 23 Mar 2007 10:01:27 GMT

Shalom,

user ownership also matters. the home directory and .ssh directory must be owned by the user that is 'authorizing'

good permissions

drwxr-x--- 19 root root 4096 Mar 22 22:10 /root
[root@modiin ~]# ll -d .ssh
drwx------ 2 root root 4096 Oct 31 19:39 .ssh
[root@modiin ~]# ll .ssh
total 16
-rw-r--r-- 1 root root 603 Nov 1 19:44 authorized_keys
-rw------- 1 root root 668 Oct 31 19:37 id_dsa
-rw-r--r-- 1 root root 601 Oct 31 19:37 id_dsa.pub
-rw-r--r-- 1 root root 1354 Mar 18 06:29 known_hosts

Getting in the above scenario other users password free access can be more difficult.

You may find this works better with openssh versus an add in product, such as you use at this time. You may be encountering a product specific bug and none of this advice will help.

SEP

Re: SSH Tectia Server 4.2

lagoda — Fri, 23 Mar 2007 10:07:41 GMT

But I have good permissions for directory and file

Re: SSH Tectia Server 4.2

Rasheed Tamton — Tue, 27 Mar 2007 03:44:25 GMT

Hi,

Just uncomment the below in sshd_config file and re-start the sshd daemon.

# AuthorizationFile authorization

Rgds,
Rasheed Tamton.

Re: SSH Tectia Server 4.2

lagoda — Thu, 29 Mar 2007 07:31:39 GMT

I think that all lines must be start with # in sshd_config

Re: SSH Tectia Server 4.2

Rasheed Tamton — Sat, 31 Mar 2007 04:07:03 GMT

Hi,

It is the ssh server config file and you have to fine tune as per your needs using this file.

Are you trying to login as root or normal user.

Rgds,
Rasheed Tamton.

Re: SSH Tectia Server 4.2

lagoda — Sat, 31 Mar 2007 04:42:21 GMT

I can login only normal user and can not edit this file, this server is for more users. But I know that other can use login with public key.

Re: SSH Tectia Server 4.2

Rasheed Tamton — Sat, 31 Mar 2007 04:51:18 GMT

I suppose you are trying to access from windows to hp-ux.

Can you do the below step-by-step again:

1. ssh-keygen -t rsa on source
2. copy/ftp to or vi and add the id_rsa.pub contents on the authorized_keys file on the destinatin (hp-ux) system
3. check the the last word of the authorized_keys file - it should be like lagoda@source-system
4. check the permission of the authroized_keys, it should be 644
5. perm of .ssh dir should be 700
6. ssh -v hpux-box (from destination)

Pls let us know the result

Re: SSH Tectia Server 4.2

Rasheed Tamton — Sat, 31 Mar 2007 04:58:39 GMT

Sorry
6. ssh -v hpux-box (from destination)

I meant

6. ssh -v hpux-box (from Source)

Re: SSH Tectia Server 4.2

lagoda — Mon, 02 Apr 2007 06:20:25 GMT

But puttygen in the last word in public key do not write lagoda@source-system

Re: SSH Tectia Server 4.2

Matti_Kurkela — Mon, 02 Apr 2007 10:17:53 GMT

The commersial SSH Tectia Server works a little differently from OpenSSH.

With OpenSSH, you must put the public key to ~/.ssh/authorized_keys file, and there can be several keys in that file. Each key is a single long line. *All of this is different in Tectia SSH*.

With Tectia SSH server, each public key must be in its own file in ~/.ssh2 directory. There must be a file named ~/.ssh2/authorization, which defines the names of the accepted public key files. The key definition lines in this file must have the word "key" and the name of the public key file.

For example:
$ ls .ssh2
authorization id_1024_rsa_mkurkela.pub

$ cat .ssh2/authorization
Key id_1024_rsa_mkurkela.pub

The Tectia SSH requires the keys in "commercial SSH" format, in which the key looks similar to an ASCII-armored PGP public key:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "some free-form text"
AAAAB3NzaC1yc2EAAAABIwAAAIEA1/X/mMuxq9loy+MKPyZNrvJQ04YfQuNKIbJP
[...more ASCII soup...]
---- END SSH2 PUBLIC KEY ----

The OpenSSH "ssh-keygen" tool can convert the keys from the commercial format to the OpenSSH format and vice versa, but at least until recently, the Tectia SSH's "ssh2-keygen" tool could only convert an OpenSSH key to the commercial format.
(Looks like a vendor lock-in attempt to me...)

MK

Re: SSH Tectia Server 4.2

lagoda — Tue, 03 Apr 2007 03:04:27 GMT

Hi,
I used windows ssh-tectia-client-5.1.3-8-windows-eval to generate pairs keys
1. C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Client>ssh-ke
ygen-g3 -t rsa -b 2048\
2. chmod 700 .ssh2
3. put via ftp id_rsa_2048_b.pub to .ssh2 on HP-UX
4. cat id_rsa_2048_b.pub > authorization
5. chmod 644 authorization
6. cat authorization

---- BEGIN SSH2 PUBLIC KEY ----
Subject: janusz.welna
Comment: "2048-bit rsa, janusz.welna@lasica, Tue Apr 03 2007 07:4\
0:56"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFhYYGghfBN87d8VE3JYUYgoNBFMlpnXiRwZ5Fjx
6u4Y/+uHIkWYjhbM0XtmUe7rJlAhk4Q+R8PN80ngd3thPrPtlhhhpH3Ks3XIWoOn9fJjIf
ulbPRCfXnovNKqmujSigK8F5rD22s7bUW55g03w0i6TfDlrMAtTm/103Z3vEEogzX/JN+H
yI1uYgcCl19TDzqNhLDYrf85YokIZdKQMsVrCIX0kgG2YlObDLsG4jtDk5aMK9SeXgW7hy
V2u3PHKYeCZ7Lx/n/DDPj7p/0FPU+BnSf4uNgHB6vh0v3V07MCaGwB01s/JUf/g+CnMal8
CHS0+7ycNqdq+99J8741o7
---- END SSH2 PUBLIC KEY ----

7. In putty private key file for authentication is id_rsa_2048_b.ppk and look like:
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: janusz.welna
Comment: "2048-bit rsa, janusz.welna@lasica, Tue Apr 03 2007 07:4\
0:56"
P2/56wAAA/EAAAA1aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
1wa2NzMS1ub25lfX0AAAAIM2Rlcy1jYmMAAAOgMXTCxDANaELMwyhKyfP0gOhZPCk5SFVr
P2XheGzqiFcm3QNCI3ucJiPEPlwJH/fz+vEniER4CKezczNdEmCzIZXJXkHgot/kGX9tGB
N6uW4KD6pRZS1Sle0/szetG7iXV9z1z3I4b2LKLr240h3LdXvY89TTj9XwXPTidPFQmgPU
TaOeKA5X5bKBXOa4LUS7wD+3MZwaKfu/Mhrt7yR2W4wRQtovU0PVFH8ooZe2Lfwpb+py/x
3iZKLkXEO3gp+2APGJKI2jZ/NoB0XaP120nZlynIhPAm/BKs3Kenb1OsllKNBeYIDFIBFi
D2UcNFxtxo2YWHwDXwP2TWa+tWSzmAGfUB5ZyJ2FnWm0MuA4VJ2WOMNPcvu/650a5i94L+
r0uLY5u1AYvxMuPiAZIVqkPQP98w6JlE4WB6VqTJ5yysK2g/b5QTbEEXzWzSrcv9ojZVh5
EVH+Y5BqXKI6abpALUlQ/nxmf/VmZanj3RV2hdkbjXecDc7bztxdvoB1NU7hb4xAQw+Qqu
Dzwy63FnkhZ3v2tfZ3zBxfOWibSsj5lmNP+6RIV6pHAxBWw5+vTJ9FkCbsZOHz2ba1K5fR
Tt0duyXJNqjQ3TULvZI7fq1tJnaKlwkdgG628J/TxgfaeubA4bieXAEXaT56K6u2ao+hz6
s0dfMDqJXRInMe7OSKkBznrPX8efejIKTbvzt+cmAdJ4Hcv1M7Zty2YiCEQuxBN5BrdJtK
tpJYVlLiNGufvb5gKwCwxMLf49dnFa6daV9CmM7hI1EM9pCfpkAkEyyjoUh4ddWkZsqVM+
dspBsfp8d7iS2ZiuiNbRKbUmkthLeCnXTSHwGsZ8IENKR8pNp2ZmqhEUaBPUwuo4ep1ayF
ZMrs1T/Pmf6Z1znwLAx6I1rW8p0aVTseo9vtPXf/ngdrJ3QgSO8wI3QXMuAfEjjTQPkRAs
nryWEsXxo5VqWF3gZksNFyGdKq3K7BhmCbzVcmi+oVh+ySruEuydHKLDgALxeOGgs2/BTj
FUA/b7MEqfBkrdEAoOjwHmXSWQ6ZgjgfAGmwooEnwjUDkwJwrW6vjXk+YdqGnz4egDCuPW
7znHwUSdbEh3i7MRr7X9OpONm+6XER7YovI/SLeIokInoxCXYGYaetiJPcXYT4OjM+axR1
1uo7D8cVCX55gAkhySAU+3KRGDvYQuANF6wzIdJGFxjGOB0OudwhSDfgu5gTPK/fo1mgFs
EyGeR2FLfdyeZ8qg==
---- END SSH2 ENCRYPTED PRIVATE KEY ----

When I try connecting:
Unable to use key file "C:\Documents and Settings\janusz.welna\Pulpit\id_rsa_2048_b.ppk" (ssh.com SSH-2 private key)
Using username "jwelna".

You are about to access a private system. This system is for use of
authorized users only. All connections are logged. Any unauthorized
access or access attempts are punishable to the fullest extend of
local legislation.

SSH server: PAM authentication
Using keyboard-interactive authentication.
Password:

Re: SSH Tectia Server 4.2

Matti_Kurkela — Tue, 03 Apr 2007 03:07:24 GMT

Your step 4 is wrong:

4. cat id_rsa_2048_b.pub > authorization

should be

4. echo "Key id_rsa_2048_b.pub" > authorization

MK

Re: SSH Tectia Server 4.2

lagoda — Tue, 03 Apr 2007 03:29:00 GMT

I make it, but putty info is the same

Re: SSH Tectia Server 4.2

Rasheed Tamton — Tue, 03 Apr 2007 06:36:54 GMT

At last we know about the correct setup.
OK - you said your colleagues have no problem to do a password less ssh from win to unix.

In that case, can you check with them whether they are using .PPK extension with the private key.

Another issue to check - are they using a different bit size. Or else, just play with different bit sizes (less than 2048 - 1024, 512, etc.).

Re: SSH Tectia Server 4.2

Matti_Kurkela — Tue, 03 Apr 2007 16:54:07 GMT

The message:

Unable to use key file "C:\Documents and Settings\janusz.welna\Pulpit\id_rsa_2048_b.ppk"
(ssh.com SSH-2 private key)

would seem to suggest that the problem is local to the PuTTY client: it cannot use the Tectia (aka ssh.com) private keys until they're converted to PuTTY's native format.

I investigated PuTTY a bit further. Turns out it uses _yet another_ format for storing the SSH keys.

PuTTY .ppk file format should look like this:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: some text
Public-Lines: 4
AAAAB3NzaC1yc2EAAAABJQAAAIBkb3gwkSrt+Pel0SmSDZs5hbO/Kxtv9ux7m1
[...]
Private-Lines: 8
+gy+jnkPmhIaFNxEalpw4wFxoUDatNc3yOlcgI5SSKAdM/wzgPoGBBqJSw/1OD
[...]
Private-MAC: bfc776fccc8669b418a104bc6d06c80135d2c7

In effect, the PuTTY .ppk file seems to contain _both_ the public _and_ the private key in a single package.

It seems you can use PuTTY's "puttygen" key generation program to convert keys from one format to another. The format Tectia SSH uses is the same as the "ssh.com" format that PuTTY documentation refers to.

From the PuTTY documentation on the author's website:
http://the.earth.li/~sgtatham/putty/0.59/htmldoc/Chapter8.html#puttygen-conversions

---------------------
8.2.12 Dealing with private keys in other formats

[...clip...]

Using the 'Import' command from the 'Conversions' menu, PuTTYgen can load SSH-2 private keys in OpenSSH's format and ssh.com's format. Once you have loaded one of these key types, you can then save it back out as a PuTTY-format key (*.PPK) so that you can use it with the PuTTY suite. The passphrase will be unchanged by this process (unless you deliberately change it). You may want to change the key comment before you save the key, since OpenSSH's SSH-2 key format contains no space for a comment and ssh.com's default comment format is long and verbose.

PuTTYgen can also export private keys in OpenSSH format and in ssh.com format. To do so, select one of the 'Export' options from the 'Conversions' menu. Exporting a key works exactly like saving it (see section 8.2.8) - you need to have typed your passphrase in beforehand, and you will be warned if you are about to save a key without a passphrase.
---------------------

The puttygen program can also export public keys in both OpenSSH and ssh.com (=Tectia) formats.

It seems you now have a private key generated with Tectia SSH's "ssh-keygen" command in the id_rsa_2048_b.ppk file. Start puttygen, use the "import" function to read the file, and save it out using PuTTY's native format.

Generally, it seems to be best to let the client generate the key using the client's native tools. The public key format is more standardized and usually easier to convert to any desired form. Converting the private key might be more difficult in some cases.

MK