topic Re: SSH Key based authentication Issues in Operating System - OpenVMS

SSH Key based authentication Issues

Anup Kumar — Tue, 06 Sep 2005 07:19:43 GMT

I am runninf tcpip 5.4 ECO 5 and trying to use ssh over key based authentication. I have setup all required things as per ssh guide for public-key based authentication but still my authentication is failing. Can you advise what might be issue. Here is the dump I get :

ssh -v ssh_test@svmp01

debug: Ssh2/SSH2.C:1847: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-00
debug: SshAppCommon/SSHAPPCOMMON.C:307: Allocating global SshRegex context.
debug: SshConfig/SSHCONFIG.C:3285: Metaconfig parsing stopped at line 3.
debug: SshConfig/SSHCONFIG.C:842: Setting variable 'VerboseMode' to 'FALSE'.
debug: SshConfig/SSHCONFIG.C:3285: Metaconfig parsing stopped at line 3.
debug: SshConfig/SSHCONFIG.C:842: Setting variable 'VerboseMode' to 'FALSE'.
debug: Connecting to svmp01, port 22... (SOCKS not used)
debug: Ssh2/SSH2.C:2813: Entering event loop.
debug: Ssh2Client/SSHCLIENT.C:1607: Creating transport protocol.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:99: Added "publickey" to usable methods.
debug: Ssh2Client/SSHCLIENT.C:1648: Creating userauth protocol.
debug: client supports 1 auth methods: 'publickey'
debug: SshUnixTcp/SSHUNIXTCP.C:1356: using local hostname SVMU01.aspac.citicorp.com
debug: Ssh2Common/SSHCOMMON.C:545: local ip = 163.37.135.82, local port = 56615
debug: Ssh2Common/SSHCOMMON.C:547: remote ip = 163.37.131.193, remote port = 22
debug: SshConnection/SSHCONN.C:2277: Wrapping...
debug: SshReadLine/SSHREADLINE.C:3651: Initializing ReadLine...
debug: Remote version: SSH-2.0-3.2.0 SSH Secure Shell OpenVMS V5.5
debug: Major: 3 Minor: 2 Revision: 0
debug: Ssh2Transport/TRCOMMON.C:2157: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/TRCOMMON.C:2222: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/TRCOMMON.C:2225: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/SSHCOMMON.C:346: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/SSHCOMMON.C:396: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
********************************************************************************
** **
** THIS SYSTEM IS RESTRICTED! **
** **
** You are authorized to use this System for approved business **
** purposes only. Use for any other purpose prohibited. All **
** transactional records, reports, e-mail, software, and other **
** data generated by or residing upon this System are the property **
** of the Company and may be used by the Company for any purpose. **
** Authorized and unauthorized activities may be monitored. **
** **
********************************************************************************

debug: server offers auth methods 'password,publickey'.
debug: Ssh2KeyBlob/SSH2PUBKEYENCODE.C:411: Could not decode certificate file
debug: Ssh2AuthPubKeyClient/AUTHC-PUBKEY.C:1681: adding keyfile "/DISK$SGA002/ssh_test/ssh2/ID_DSA_2048_A" to candidates
debug: server offers auth methods 'password,publickey'.
debug: server offers auth methods 'password,publickey'.
debug: Ssh2AuthClient/SSHAUTHC.C:373: Method 'publickey' disabled.
debug: server offers auth methods 'password,publickey'.
debug: Ssh2Common/SSHCOMMON.C:184: DISCONNECT received: No further authentication methods available.
debug: SshReadLine/SSHREADLINE.C:3717: Uninitializing ReadLine...
warning: Authentication failed.
debug: Ssh2/SSH2.C:316: locally_generated = TRUE
Disconnected; no more authentication methods available (No further authentication methods available.).
debug: Ssh2Client/SSHCLIENT.C:1683: Destroying client.
debug: SshConfig/SSHCONFIG.C:2745: Freeing pki. (host_pki != NULL, user_pki = NULL)
debug: SshConnection/SSHCONN.C:2329: Destroying SshConn object.
debug: Ssh2Client/SSHCLIENT.C:1751: Destroying client completed.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:104: Destroying authentication method array.
debug: SshAppCommon/SSHAPPCOMMON.C:320: Freeing global SshRegex context.
debug: SshConfig/SSHCONFIG.C:2745: Freeing pki. (host_pki = NULL, user_pki = NULL)

Re: SSH Key based authentication Issues

Michael Yu_3 — Wed, 07 Sep 2005 01:37:21 GMT

Hi Anup,

It seems that there is some problem with your public key file. Can you post the output of dir/full of you public key file?

Thanks and regards.

Michael

Re: SSH Key based authentication Issues

Anup Kumar — Wed, 07 Sep 2005 04:52:56 GMT

Thanks Michael,

You were right.I found the problem. Actually in my authorization file , I used keyword IdKey instead of KEY to identify public key. Corrected that and now its working fine.

Re: SSH Key based authentication Issues

Jan van den Ende — Sat, 24 Sep 2005 07:55:45 GMT

Anup,

since Michael obviously helped you out, would you care to reward him in Forum style?

Please read

http://www1.itrc.hp.com/service/help/forums.do#28

Proost.

Have one on me.

jpe

Re: SSH Key based authentication Issues

Anup Kumar — Mon, 26 Sep 2005 10:52:00 GMT

Michael,

For scp file transfer from vms to unix, are there special consideration to be taken. Are there some guides which explains in more detail on the same. We are trying transfer from vms to unix but it fails. I understand the way public key file is added on Unix is different from vms.Please advise

Regards

AK

Re: SSH Key based authentication Issues

Michael Yu_3 — Tue, 04 Oct 2005 02:21:04 GMT

Hi Anup,

Sorry for the late reply, I was away for the past week.

What error did you have when SCP from OpenVMS to unix? Do you have the output of the SCP command with debug turned on?

Thanks and regards.

Michael

Re: SSH Key based authentication Issues

Anup Kumar — Mon, 10 Oct 2005 03:33:13 GMT

Mike,

When you generate pair of key on vms server the public key format generated on vms is diffenert as one for unix platform. i.e. our public contains these extra lines

Subject: dusr_tjip
Comment: "2048-bit dsa, dusr_tjip@SVMU02.aspac.citicorp.com, Thu Oct 0\
6 2005 01:22:02"

do we need to put these lines in authorized_keys2 file on unix or we need to some formatting of public key before giving it to unix platform

Regards

Anup

Re: SSH Key based authentication Issues

Martin Vorlaender — Mon, 10 Oct 2005 04:43:42 GMT

Anup,

>>>
do we need to put these lines in authorized_keys2 file on unix or we need to some formatting of public key before giving it to unix platform
<<<

Monst Unix' sshkeygen has an import option (-i?) for these keys which changes the format.

cu,
Martin

Re: SSH Key based authentication Issues

Michael Yu_3 — Mon, 10 Oct 2005 18:54:10 GMT

Hi Anup,

I think the subject line and the comment line will be ignored.

Which favour of unix are you using?

Thanks and regards.

Michael

Re: SSH Key based authentication Issues

Anup Kumar — Mon, 10 Oct 2005 23:33:01 GMT

Mike,

The issue is resolved after we converted the key at Unix but there is one glitch we found. If we create a private-public key pair on VMS with -P option ( i.e. empty passphrase ) and then we convert that public key at remote end, it does not work. During a transfer initiation it asks for passphrase out of blue. But if you create a private-public key pair without -P option and provide blank passphrase then that public key at remote end after conversion works fine.

Thanks for you support

Cheers .. AK

Re: SSH Key based authentication Issues

Michael Yu_3 — Mon, 10 Oct 2005 23:55:53 GMT

Hi Anup,

It is good to know that things are working fine for you.

Thanks and regards.

Michael

Re: SSH Key based authentication Issues

Anup Kumar — Wed, 12 Oct 2005 00:06:19 GMT

Michael,

One query >>> whenever i initiate a client connection, its always goes and reads the ssh2_config. file from SYS$SYSDEVICE:[TCPIP$SSH.SSH2] and if it does not find the file there then it goes and reads the ssh2_config from users login directory. How we can force to read from user's login directory first and then from system area ?

Regards

Anup

Re: SSH Key based authentication Issues

Michael Yu_3 — Wed, 12 Oct 2005 01:02:56 GMT

Hi Anup,

My understanding is that the ssh2_config in sys$sysdevice:[tcpip$ssh.ssh2] has a system-wide scope while the ssh2_config in the [.ssh2] subdirectory under sys$login of the user has a user-specific scope.

The ssh client process always reads the ssh2_config from SYS$SYSDEVICE:[TCPIP$SSH.SSH2] to set up the run-time parameters for the ssh connection. Then it reads the ssh2_config from the user directory and set up any user-specific changes necessary.

Thanks and regards.

Michael