topic SFTP - Public key is not working in Operating System - HP-UX

SFTP - Public key is not working

Mike_781 — Thu, 16 Sep 2004 17:30:26 GMT

Hello all :)

I'm using sftp from a unix box (AIX) going to a windows NT box (running f-secure ssh suite server). I can login fine by providing a password. I setup the private and public key using ssh-keygen, then put my public key on the remote box into my home directory into .ssh2 and named the public key authorized_keys. Yet I'm still prompted for the password (not pass phrase) when I login.

Thanks to all for your help!

Below is the sftp log generated while I'm connecting. Where the problem might be local or remote host? I'm puzzled at this point.

$ sftp -v user@destination.nt.host
Connecting to destination.nt.host...
OpenSSH_3.8p1+sftplogging-v1.2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /opt/ssh/etc//ssh_config
debug1: Applying options for *
debug1: Connecting to destination.nt.host [destination.nt.host] port 22.
debug1: Connection established.
debug1: identity file /ftp/v/f/00/00/local_user/.ssh/id_rsa type 1
debug1: identity file /ftp/v/f/00/00/local_user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 3.2.0 F-Secure SSH Windows NT S
erver
debug1: no match: 3.2.0 F-Secure SSH Windows NT Server
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1+sftplogging-v1.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'destination.nt.host' is known and matches the DSA host key.
debug1: Found key in /ftp/v/f/00/00/local_user/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /ftp/v/f/00/00/local_user/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /ftp/v/f/00/00/local_user/.ssh/id_dsa
debug1: Next authentication method: password
user@destination.nt.host's password:
debug1: Authentication succeeded (password).

Re: SFTP - Public key is not working

Sundar_7 — Thu, 16 Sep 2004 17:40:33 GMT

hmm...from my experience, debug1 doesnt really give enough details to troubleshoot the problem.

First thing I would check is the permissions of authorized_keys file. SSH is very sensitive about permissions.

try debug3, that could you tell you little more. Also enable debugging on the server side if possible

# sftp -vvv user@host

Re: SFTP - Public key is not working

Mike_781 — Thu, 16 Sep 2004 18:24:09 GMT

Sundar,

The permissions on the authorized_keys file are (-rw-------).

How to enable server level debugging? Unless I need ssh server admin priveleges, which I don't have (will have ask the remote box admin to do the server level deb. then).

Thank you for the tips!

Here is the log with debug3:
$ sftp -vvv user@destination.nt.host
Connecting to destination.nt.host...
OpenSSH_3.8p1+sftplogging-v1.2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /opt/ssh/etc//ssh_config
debug1: Applying options for *
debug3: Seeding PRNG from /opt/ssh/openssh-3.8p1/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to destination.nt.host [destination.nt.host] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /ftp/v/f/00/00/local_user/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /ftp/v/f/00/00/local_user/.ssh/id_rsa type 1
debug1: identity file /ftp/v/f/00/00/local_user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 3.2.0 F-Secure SSH Windows NT S
erver
debug1: no match: 3.2.0 F-Secure SSH Windows NT Server
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1+sftplogging-v1.2
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,a
es256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,a
es256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac
-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac
-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfi
sh-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfi
sh-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 118/256
debug2: bits set: 538/1024
debug1: sending SSH2_MSG_KEXDH_INIT
ebug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /ftp/v/f/00/00/local_user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'destination.nt.host' is known and matches the DSA host key.
debug1: Found key in /ftp/v/f/00/00/local_user/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /ftp/v/f/00/00/local_user/.ssh/id_rsa (2006cce8)
debug2: key: /ftp/v/f/00/00/local_user/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /ftp/v/f/00/00/local_user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /ftp/v/f/00/00/local_user/.ssh/id_dsa
debug3: no such identity: /ftp/v/f/00/00/local_user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

Re: SFTP - Public key is not working

Michael Selvesteen_2 — Thu, 16 Sep 2004 23:43:02 GMT

Make sure the following:

1. your SSH (/home/user/.ssh) directory and files have the following permissions

chmod 755 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/authorized_keys2

2. The remote server should support public key authentication and enabled in sshd_config
file

3. Your public key and private should have following permissions

chmod 600 ~/.ssh/id_dsa
chmod 644 ~/.ssh/id_dsa.pub

For more information
try www.openssh.com/faq.html

I am not sure whether F-Secure SSH supports openssh key format. Make it sure.

Else convert your keys with help of ssh-keygen -i option and append again to remote authorized keys file

Refer man ssh-keygen for more information

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=214170

Re: SFTP - Public key is not working

Mike_781 — Fri, 17 Sep 2004 15:14:04 GMT

The issue has been solved!

The remote host server admin found that openSSH public key was not compatible with F-Secure commercial SSH implementation.

I executed the following command to create a version of the key, compatible with the commercial SSH:
ssh-keygen -e -f id_rsa.pub > id_rsa2.pub

Than I uploaded the id_rsa2.pub to the remote host. Remote host admin in turn took this key and registered it within F-Secure SSH (not sure what this process consists of).

Thanks to all for your tips!!!