Operating System - HP-UX
1748224 Members
4509 Online
108759 Solutions
New Discussion юеВ

ssh1 to ssh2... Cannot get it to connect w/o a password

 
Scott Vick_1
New Member

ssh1 to ssh2... Cannot get it to connect w/o a password

I'm currently running the HP Secure Shell package on a server. I'm trying to get it to connect to another server the is running the commercial (ssh.com) version of ssh2.

I've created the public and private keys on ssh1 server and converted teh public key for use on ssh2 (ssh-keygen -e -f id_dsa.pub > id_dsa.ssh2.pub) and copied the new ssh2 key to the ssh2 server.

I created a new authorization file in .ssh2 directory on the ssh2 server.

What am I missing? This was working once upon a time but the ssh2 server had to be rebuilt.
9 REPLIES 9
Sanjay_6
Honored Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Hi,

Try this link,

http://bumblebee.lcs.mit.edu/ssh2/

Hope this helps.

Regds
Scott Vick_1
New Member

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

I found that link... I did exactly as it said and it still doesn't work w/o a password.

RAC_1
Honored Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

On server start sshd on some other port. sshd -ddd -p "some_port"

From client do ssh -vvv "server" -p "port_no"
Post the output.
There is no substitute to HARDWORK
Sanjay_6
Honored Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Hi Scott,

While creating the key, you need to define the type of key you are creating,

-t type

it could be rsa1/dsa/rsa

also make sure you using the null passphrase while creating the key. Either use -N "" or press enter when it ask for passphrase.

Hope this helps.

Regds
Steven E. Protter
Exalted Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Usually this issue is permissions.

See this word doc, ignore the X windows stuff build the files any way you please. Follow permission guidelines completely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Scott Vick_1
New Member

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Thanx everyone for the posts... but it's still not working.

I tried starting the daemon on a different port. That didn't work so, I returned it to the original (22) port.

Also, when I created the key, I did so w/ the -t dsa flag (ssh-keygen -t dsa)

Finally, thanx for the document Steve, but I had found it earlier on another post on the ITRC. However, it only works w/ OpenSSH and doesn't apply to my situation.

I went ahead and installed the commercial version of ssh2 on the ssh1 server. I can now connect w/o a password so, that's good. I now have another issue.

When I ssh from one server to the other it take somewhere around 10-11 seconds to finish the handshake. Is there anything I can do to the config that will speed it up?
Ralph Grothe
Honored Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Have you run your "failing" ssh connetcion with one or several -v to get debug messages displayed as suggested by the others?

Is your account using a $HOME/.ssh/config file that maybe has settings for other FdentityFile etc.?

Try to be explicit and use the -i option.

You wrote "I created a new authorization file in .ssh2 directory on the ssh2 server".

Is it literally
remote_login@remote_host:.ssh2/authorized_keys ?
Then SSH won't find the keys.

Have you tried using ssh-agent to test if passwordless login on remote host works?
With a running ssh-agent there is no need to get the key from remote host but rather ask the agent for it.
Did you change the passphrase for your used key to an empty string?

Have you checked mode bits of keyfiles and directory on remote host if the remote sshd runs with StrictModes (what it should)?

Could it be that the remote login account has expired?
Have a look at remote host's syslog (or where syslog facility AUTH gets logged) for any messages.


Madness, thy name is system administration
Scott Vick_1
New Member

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Whoa... that's a lot of questions. Here goes trying to answer them all... :-)

I ran the ssh w/ the -v flag several times... It tries to find the keys but then switches to the password mode for no reason. The keys it's looking for are there, they just are not being found. Before you ask, it's not a permission problem. All files are 640.

I'm not using a config file. ssh is using the default config for the application.

The authorization file is in $HOME/.ssh2/authorization. (authorized_keys don't work w/ ssh2 commercial)

I don't know much about ssh-agent or how to config or run. If someone can enlighten me.

Bits on all files is 2048.

And the account is fine. If I telnet to it, it works perfectly.

Wheww... :-D

Anybody know how I can config ssh2 (commercial) to not be so slow when connecting?
Ralph Grothe
Honored Contributor

Re: ssh1 to ssh2... Cannot get it to connect w/o a password

Hi Scott,

have you meanwhile found the reason for why the remote (commercial) SSH2 daemon is rejection your key authorization and is relapsing to password authorization?

I'm afraid we don't use any other SSH implementations than OpenSSH.
Thus I don't know the configuration options of SSH2 (is it Tectia?).

I've only found in an SSH quickref that SSH2 has a configuration directive like NoDelay,
which if set to yes would disable the Nagle algorithm.
Maybe this could speed up your connection?
Another difference I suppose is the sort of assymetric encryption that is used during the establishing of the crypto connection, and the session encryption itself.
The first I think used to be the Rivest Shamir Adleman (RSA) public key cypher in commercial implementations.
Because of Arms Export Ban the USA imposed also on strong crypto software until recently (one reason for the Canadian OpenBSD fork from NetBSD) and because of a patent on the RSA algorithm all open source implementations as far as I know switched from RSA to other crypto systems like DSA.
(that's why we use DSA keys in the first place).
Although OpenSSH claims to support the patented cyphers as well I can imagine this could be a reason for your trouble.

In the sshd_config manpage from OpenSSH I found another two directives you could look out for some similar ones in SSH2.

One being "Ciphers" that lists the allowed cyphers (btw. is it "cipher" or "cypher"? I always thought the former).

The other being "KeyRegenerationInterval", but which only applies to Protocol 1.
Maybe SSH2 knows something similar to make your connections a bit speedier by increasing the interval?

As for ssh-agent.
This is quite handy if you feel unpleasent to distribute your passphrase-less public keys to other hosts, but at the same time are reluctant to retype your passphrases over and over again.
From the shell on the host from where you start your connections you initially spawn an ssh-agent that daemonizes, and that you feed with all the keys of hosts you want to connect to.
Because the keys are only virulent in memory of your connecting host it would be much more difficult for an attacker to get hold of your keys.

There are several ways to start the ssh-agent, but the most apparent one would be like

$ eval `ssh-agent`
Agent pid 60892

ssh-agent writes to stdout the shell syntax to set a few important environment variables.
That's why the eval.

$ env|grep SSH
SSH_INITIATOR=grothe
SSH_AGENT_PID=60892
SSH_AUTH_SOCK=/tmp/ssh-JOB94408/agent.94408

You need the SSH_AGENT_PID to terminate the ssh-agent, because one tends to forget about a lingering ssh-agent.
Beware to not leave your terminal unattended because anyone gets access to hosts according to the currently loaded keys.

Therefore it's good habit to define an exit trap that would kill the agent on terminal closing.

$ trap 'eval `ssh-agent -k`' EXIT

$ trap
trap -- 'eval `ssh-agent -k`' EXIT

Now with a running agent you need to feed it with your passphrase-protected keys.
Only while you do this are you asked one time for your keys' passphrases.

e.g.

$ ssh-add .ssh/root_kos_id_dsa
Enter passphrase for .ssh/root_kos_id_dsa:
Identity added: .ssh/root_kos_id_dsa (.ssh/root_kos_id_dsa)

You can always check your agent for currently loaded keys.
-l will only print the keys' fingerprints,
while -L displays the whole keys.

$ ssh-add -l
1024 94:da:8e:f5:1e:96:57:6b:33:33:50:7b:a0:ba:61:2b .ssh/root_kos_id_dsa (DSA)

Finally with the loaded key you can connect to the remote host without being further asked for a passphrase

$ ssh -i .ssh/root_kos_id_dsa root@kos hostname\;uptime
kos
4:00pm up 56 days, 11:53, 4 users, load average: 0.06, 0.06, 0.07

HTH


Madness, thy name is system administration