topic Re: passwordless ssh transfer in Operating System - HP-UX

passwordless ssh transfer

Anju.. — Tue, 28 Feb 2006 01:14:14 GMT

I am not able to make a passwordless ssh connection from an AIX machine to a HP-UX machine.If it is from an AIX to a LINUX or Solaris machine things are working fine.I am attaching the debug logs with this.Password prompt is coming up when we use a HP-UX machine..

OpenSSH_4.2p1, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data /usr/etc/ssh_config
debug3: Seeding PRNG from /usr/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to 47.129.249.53 [47.129.249.53] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Not a RSA1 key file /home/root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/root/.ssh/id_rsa type 1
debug1: identity file /home/root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version SOE-openssh-3.7.1p2-pwexp26
debug1: no match: SOE-openssh-3.7.1p2-pwexp26
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 115/256
debug2: bits set: 523/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 11
debug1: Host '47.129.249.53' is known and matches the RSA host key.
debug1: Found key in /home/root/.ssh/known_hosts:11
debug2: bits set: 504/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: xxx_rsa (2007a118)
debug2: key: /home/root/.ssh/id_rsa (200777e8)
debug2: key: /home/root/.ssh/id_dsa (0)
debug3: input_userauth_banner

HP_UX

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: xxx_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/root/.ssh/id_dsa
debug3: no such identity: /home/root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
xxx@host's password:

Please help me to find the solution as soon as possible..This is an emergency..

Thanks in advance,
Anju

Re: passwordless ssh transfer

Arunvijai_4 — Tue, 28 Feb 2006 02:10:42 GMT

Hi Anju,

Attached doc contains how to set this up..

-Arun

Re: passwordless ssh transfer

Anju.. — Tue, 28 Feb 2006 03:25:43 GMT

Hi Arun,

Thanks!! for the quick reply but I am not able to open that attachment.

Thanks,
Anju.

Re: passwordless ssh transfer

Arunvijai_4 — Tue, 28 Feb 2006 03:29:16 GMT

Hi Anju,

It is a word document and you may open with MS Word or wordpad,

-Arun

P.S Remember to assign points.

Re: passwordless ssh transfer

Anju.. — Tue, 28 Feb 2006 03:35:44 GMT

Arun,

I am not able to download the attachment.

Anju.

Re: passwordless ssh transfer

Arunvijai_4 — Tue, 28 Feb 2006 03:38:25 GMT

Hi Anju,

Here is the content from that doc,

===============================================
Public Key Authentication between two Solaris Servers:
[a]. Generate a pair of SSH keys on the client. Take the default key name ~/.ssh/id_rsa
root@fsctsp2# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
05:26:98:a9:1f:c3:03:d1:b1:4e:35:e8:9b:f7:e3:89 root@fsctsp2

Note: Here passphrase is set as null. It is also possible to generate SSH keys using passphrase. When ssh-keygen asks for a passphrase, it is better to enter return twice (i.e.: don't set any passphrase). It's safer to protect a key with a passphrase, however, given the way it will not buy extra security, as the passphrase will have to circulate between your client and the server, and will be stored in clear text. The above said is optional, if the user feel safer; feel free to enter a passphrase.

[b]. Copy the public key from the client to the server:

root@fsctsp2# scp /.ssh/id_rsa.pub fsctsp1:/
root@fsctsp1's password:
id_rsa.pub 100% 222 0.2KB/s 00:00

On the server, append the newly obtained key to the ~/.ssh/authorized_keys file,which stores SSH public keys in the OpenSSH implementation:

root@fsctsp1# cat /id_rsa.pub >> /.ssh/authorized_keys
[a]. Modify the permissions of the authorized_keys file. If this file is write-able by anybody other than the user, then server will deactivate PK authentication.

root@fsctsp2# chmod 600 ~/.ssh/authorized_keys
[b].At the client, decrypt and register your key with the ssh-agent:
This is required only if passphrase is used.
1. At the client, try and login to the server:
root@fsctsp2# ssh fsctsp1
Last login: Thu Sep 22 12:52:21 2005 from fsctsp2
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
You have mail.
root@fsctsp1#
Password-less login
Note: This point is valid only when you are generating SSH keys with passphrase.

At this point, you'll probably want to set up passwordless login, which is done with the following commands:
Invoke ssh-agent and its outputted shell commands:

root@fsctsp2# eval `ssh-agent`
Agent pid 9626client

Decrypt and add your newly generated private key to ssh-agent's database:

root@fsctsp2# ssh-add id_rsa
Identity added: id_rsa (id_rsa)
Now you should be able to do a password-less login to the server:
root@fsctsp2# ssh fsctsp1
Last login: Thu Sep 22 12:52:21 2005 from fsctsp2
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
You have mail.
root@fsctsp1#
As you will soon notice, this only gives you password-less login through this terminal. To achieve true one-time per system authentication, it is recommend to use the Keychain utility. This involves downloading the keychain program and adding two lines to your ~/.bashrc or ~/.bash_profile (or ~/.cshrc) files. The utility then keeps you from entering your passphrase more than once.

Re: passwordless ssh transfer

Yogeeraj_1 — Tue, 28 Feb 2006 03:40:26 GMT

hi anju,

(Arun please allow me to post it here)
below the content of the attachment:
============================================
Public Key Authentication between two Solaris Servers:
[a]. Generate a pair of SSH keys on the client. Take the default key name ~/.ssh/id_rsa
root@fsctsp2# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
05:26:98:a9:1f:c3:03:d1:b1:4e:35:e8:9b:f7:e3:89 root@fsctsp2

Note: Here passphrase is set as null. It is also possible to generate SSH keys using passphrase. When ssh-keygen asks for a passphrase, it is better to enter return twice (i.e.: don't set any passphrase). It's safer to protect a key with a passphrase, however, given the way it will not buy extra security, as the passphrase will have to circulate between your client and the server, and will be stored in clear text. The above said is optional, if the user feel safer; feel free to enter a passphrase.

[b]. Copy the public key from the client to the server:

root@fsctsp2# scp /.ssh/id_rsa.pub fsctsp1:/
root@fsctsp1's password:
id_rsa.pub 100% 222 0.2KB/s 00:00

On the server, append the newly obtained key to the ~/.ssh/authorized_keys file,which stores SSH public keys in the OpenSSH implementation:

root@fsctsp1# cat /id_rsa.pub >> /.ssh/authorized_keys
[a]. Modify the permissions of the authorized_keys file. If this file is write-able by anybody other than the user, then server will deactivate PK authentication.

root@fsctsp2# chmod 600 ~/.ssh/authorized_keys
[b].At the client, decrypt and register your key with the ssh-agent:
This is required only if passphrase is used.
1. At the client, try and login to the server:
root@fsctsp2# ssh fsctsp1
Last login: Thu Sep 22 12:52:21 2005 from fsctsp2
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
You have mail.
root@fsctsp1#
Password-less login
Note: This point is valid only when you are generating SSH keys with passphrase.

At this point, you'll probably want to set up passwordless login, which is done with the following commands:
Invoke ssh-agent and its outputted shell commands:

root@fsctsp2# eval `ssh-agent`
Agent pid 9626client

Decrypt and add your newly generated private key to ssh-agent's database:

root@fsctsp2# ssh-add id_rsa
Identity added: id_rsa (id_rsa)
Now you should be able to do a password-less login to the server:
root@fsctsp2# ssh fsctsp1
Last login: Thu Sep 22 12:52:21 2005 from fsctsp2
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
You have mail.
root@fsctsp1#
As you will soon notice, this only gives you password-less login through this terminal. To achieve true one-time per system authentication, it is recommend to use the Keychain utility. This involves downloading the keychain program and adding two lines to your ~/.bashrc or ~/.bash_profile (or ~/.cshrc) files. The utility then keeps you from entering your passphrase more than once.

=============================================

kind regards
yogeeraj

Re: passwordless ssh transfer

Anju.. — Tue, 28 Feb 2006 03:54:22 GMT

Hi,

The same steps as said in the doc were done before and as I said,the Secure key based transfer is working fine between an AIX and Linux/Solaris machine,but if it is among AIX and HP-UX, a password prompt is coming up.

Thanks,
Anju

Re: passwordless ssh transfer

Michael Selvesteen_2 — Tue, 28 Feb 2006 04:56:10 GMT

Hi,

From your log messages

>debug1: Trying private key: /home/root/.ssh/id_dsa
>debug3: no such identity: /home/root/.ssh/id_dsa

Please check /home/root/.ssh/id_dsa has correct permissions. Also check whether the HP-UX ssh server (sshd) supports public key authentication.

Re: passwordless ssh transfer

Senthil Prabu.S_1 — Tue, 28 Feb 2006 05:08:30 GMT

Hi,
I think the problem is with the sshd configuration at server [hpux mac], check for the following lines in sshd.conf file;

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh/authorized_keys

These lines should be uncommented.

HTH,
Prabu.S

Re: passwordless ssh transfer

Anju.. — Tue, 28 Feb 2006 05:37:28 GMT

Hi,

When I gave the command ssh -l username -o PreferredAuthentications=publickey hostname, the response was
Enter passphrase for key '/home/root/.ssh/identity':
Permission denied (publickey,password)

What is the significance of 'identity' here?
I am attaching the sshd_config file of HP_UX with this mail.

Thanks,
Anju.

Re: passwordless ssh transfer

Senthil Prabu.S_1 — Tue, 28 Feb 2006 05:44:39 GMT

hi,
passphare is second level of security. but you can safely ignore it. that means, when you create ssh keys, press enter ro set empty phrase.

Also, edit your sshd.conf as per my previous post. And restart sshd. Then run sshd and ssh with "-v" option with debugging enabled [ optional]. And post the output, if you still face problem.

hth,
Prabu.S

Re: passwordless ssh transfer

Anju.. — Wed, 01 Mar 2006 00:06:20 GMT

Hi,
I dont have the access to modify the sshd_conf file.When I checked my .ssh directory,prng_seed file was not there. Can that be a reason for this problem? I had already posted the debug logs in this thread.
sshd_conf file details are:
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh/authorized_keys
#RSAAuthentication

Thanks,
Anju.

Re: passwordless ssh transfer

Anju.. — Thu, 02 Mar 2006 00:31:34 GMT

Hi,
The HP_UX machine that I am using is
HP-UX B.10.20 A 9000/785 2007890175 two-user license and the SSH is SOE-openssh-3.7.1p2-pwexp26.. I read somewhere that SSH has some problem in HP_UX 10.20. Can this be the reason for this issue???
Expecting a response..

Thanks,
Anju