topic Re: SSH trusted relationship in Operating System - HP-UX

SSH trusted relationship

Jose Giudice — Wed, 17 Nov 2004 13:42:34 GMT

I have one server Sun Solaris 2.6 with SSH Server SSH-1.99-OpenSSH_3.1p1, and one server HPUX 11 with ssh client OpenSSH_3.8 , OpenSSL 0.9.7d 17 Mar 2004.
Im trying to establish a trusted relationship between them, but occurs always the same problem.

The used steps to reliable relation;

1) ssh-keygen -t dsa -N ""
1.1) Generated public and private keys in path /root/.ssh
2) scp id_dsa.pub root@host2:id_dsa.pub
2.1) cat /root/id_dsa.pub >> ~itochecker/.ssh/authorized_keys
3) ssh -i /root/id_dsa.pub itochecker@host2
4) chmod 600 id_dsa.pub
5) chmod 600 id_dsa

host1:/.ssh# ssh -vvvv -i id_dsa.pub itochecker@host2
OpenSSH_3.8 , OpenSSL 0.9.7d 17 Mar 2004
HP-UX_Secure_Shell-A.03.81.002, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to host2 [host2] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file id_dsa.pub.
debug1: identity file id_dsa.pub type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 122/256
debug2: bits set: 494/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: missing keytype
debug3: check_host_in_hostfile: match line 126
debug1: Host 'host2' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:126
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: id_dsa.pub (4002ea18)
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_dsa.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d7:55:36:ef:bf:91:a1:42:d1:8d:41:ed:61:e4:f4:06
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
Enter passphrase for key 'id_dsa.pub':

_____________________________________________
From: Jose Giudice
Sent: Wednesday, November 17, 2004 4:22 PM
To: Rodrigo Ansai
Subject: Texto !

Rodrigo,

O caso é o seguinte, tenho que postar esta pergunta em um forum, por favor traduza para mim :

Srs,

Tenho um servidor Sun Solaris 2.6 com SSH Server SSH-1.99-OpenSSH_3.1p1, e um servidor HPUX 11 com ssh client OpenSSH_3.8 , OpenSSL 0.9.7d 17 Mar 2004. Estou tentando estabelecer uma relação de confiança entre eles, porém caio sempre no mesmo problema.
Passos seguidos para a relação de confiança :

1) ssh-keygen -t dsa -N ""
1.1) Gerado as chaves pública e privada no diretório /root/.ssh
2) scp id_dsa.pub root@host2:id_dsa.pub
2.1) cat /root/id_dsa.pub >> ~itochecker/.ssh/authorized_keys
3) ssh -i /root/id_dsa.pub itochecker@host2
4) chmod 600 id_dsa.pub
5) chmod 600 id_dsa

Problema:

host1:/.ssh# ssh -vvvv -i id_dsa.pub itochecker@host2
OpenSSH_3.8 , OpenSSL 0.9.7d 17 Mar 2004
HP-UX_Secure_Shell-A.03.81.002, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to host2 [host2] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file id_dsa.pub.
debug1: identity file id_dsa.pub type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 122/256
debug2: bits set: 494/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: missing keytype
debug3: check_host_in_hostfile: match line 126
debug1: Host 'host2' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:126
debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: id_dsa.pub (4002ea18)
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_dsa.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp d7:55:36:ef:bf:91:a1:42:d1:8d:41:ed:61:e4:f4:06
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
Enter passphrase for key 'id_dsa.pub':

Tanks for all answers

Re: SSH trusted relationship

Sridhar Bhaskarla — Wed, 17 Nov 2004 13:48:54 GMT

Jose,

if you just press , does it take it as a passphrase and yield you passwordless login?.

-Sri

Re: SSH trusted relationship

Sanjay_6 — Wed, 17 Nov 2004 13:49:17 GMT

Hi Jose,

Try this link,

http://bumblebee.lcs.mit.edu/ssh2/

Hope this helps.

regds

Re: SSH trusted relationship

Steven E. Protter — Wed, 17 Nov 2004 13:50:42 GMT

Attaching a word doc.

Pay attention to directory permissions. You can use cat instead of X terminal to build the files.

SEP

Re: SSH trusted relationship

Jose Giudice — Wed, 17 Nov 2004 13:54:55 GMT

Hi Sridhar Bhaskarla

See above, I generated public and private keys with the command :

ssh-keygen -t dsa -N ""

-N "" = without pass-phrase

Re: SSH trusted relationship

Jose Giudice — Wed, 17 Nov 2004 14:04:57 GMT

My directory permissions:

Server:
drwxr-xr-x 2 itocheckeritochecker 512 Nov 17 12:43 .ssh

-rw-r--r-- 1 itocheckeritochecker 929 Nov 17 15:07 authorized_keys

Client:

drwxr-xr-x 2 root sys 1024 Nov 17 13:21 .ssh

-rw------- 1 root sys 668 Nov 17 13:21 id_dsa
-rw------- 1 root sys 600 Nov 17 13:21 id_dsa.pub

My user is not a passwordless.

Thanks

Re: SSH trusted relationship

Sridhar Bhaskarla — Wed, 17 Nov 2004 14:05:23 GMT

I know about -N.

I wanted to make sure if ssh is accepting as a passphrase or if it is rejecting it completely. Can you move id_dsa as id_dsa.old, generate the key again and try on the source system?

-Sri

Re: SSH trusted relationship

Ermin Borovac — Thu, 18 Nov 2004 00:59:29 GMT

Check itochecker's home directory permissions on host2. Make sure it's not group writable.

Otherwise, start server sshd with debug option (make sure port 22222 is not used on host2).

host2# sshd -d -p 22222

host1# ssh -vvv -p 22222 -i /root/.ssh/id_dsa.pub itochecker@host2

Examine output of sshd on host2 as it might give you additional clues.

Re: SSH trusted relationship

Jose Giudice — Thu, 18 Nov 2004 05:50:59 GMT

Hi,

I started ssh with option -d on host2 and I try to access ssh -vvv -i id_dsa.pub from host1. Below I have the reply :

/opt/sbin/sshd -d
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

debug1: Server will not fork when running in debugging mode.
Connection from host1 port 62073
debug1: Client protocol version 2.0; client software version OpenSSH_3.8
debug1: match: OpenSSH_3.8 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
WARNING: /usr/local/etc/moduli does not exist, using old modulus
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 136/256
debug1: bits set: 494/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 530/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user itochecker service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "itochecker"
debug1: PAM setting rhost to "host1"
Failed none for itochecker from host1 port 62073 ssh2
debug1: userauth-request for user itochecker service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 3003/3002 (e=0)
debug1: trying public key file /export/home/itochecker/.ssh/authorized_keys
debug1: matching key found: file /export/home/itochecker/.ssh/authorized_keys, line 2
Found matching DSA key: d7:55:36:ef:bf:91:a1:42:d1:8d:41:ed:61:e4:f4:06
debug1: restore_uid
Postponed publickey for itochecker from host1 port 62073 ssh2

Re: SSH trusted relationship

Ermin Borovac — Mon, 22 Nov 2004 01:17:33 GMT

I think the reason it didn't work was when you specify identity file on ssh command line (-i ) it should be private file (id_dsa) not public file (id_dsa.pub).

/* NOT OK */
# ssh -i /root/.ssh/id_dsa.pub itochecker@host2

/* OK */
# ssh -i /root/.ssh/id_dsa itochecker@host2