Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
cancel
Showing results for 
Search instead for 
Did you mean: 

Secure shell (ssh)

Mark Parsons
Valued Contributor

Secure shell (ssh)

Hi,

I'm only used to setting up both private and public keys and sending the public key to the system administrator of the machine we wish to ssh/scp to and from.

However I have a requirement for someone to send me their public key as they wish to connect to us. I have both the client and server version. So what do I do?

What I have done so far is to create a public and a private key and replace the public key with the one they have sent. I have also put the correct line into the authorization file and they have done the same with the identification file.

When they try to connect they get an "enter authentication" response. (All passphrases were set to null). Where is it going wrong?

Kind Regards,

Mark Parsons.
12 REPLIES
Tingli
Esteemed Contributor

Re: Secure shell (ssh)

Both public and private keys should be created in the other side. They send you the public key, which you put to the file .ssh/authorized_keys. This file permission can not be higher than 644.
Mark Parsons
Valued Contributor

Re: Secure shell (ssh)

Thanks - so I don't have to create a matching private key?
Steven E. Protter
Exalted Contributor

Re: Secure shell (ssh)

Shalom,

Private key stays on the system it was generated on.

It is the basis of public keys that are generated and exchanged.

Please see my document:
http://www.hpux.ws/?p=10

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mark Parsons
Valued Contributor

Re: Secure shell (ssh)

Okay - I have placed the public key into the .ssh area along with the line into the authorized_keys file. Thats the only two files that exist - the public key file and the authorization file.

The system on the other side that is trying to connect is getting the "enter authentication" response. Is this an access issue on that system or on mine?
Tingli
Esteemed Contributor

Re: Secure shell (ssh)

In this case. The public key should be the same as the authorized_key.

If it doesn't work, you can go to file /var/adm/syslog/syslog.log and see whether there is any messages there. It might help you.


Matti_Kurkela
Honored Contributor

Re: Secure shell (ssh)

Mark, the description of your actions seemed to be a mixture of the instructions of two different SSH products. Perhaps there is a misunderstanding somewhere?

There are two possible configuration styles, depending on whether your ssh product is OpenSSH (or its derivative, like HP's free Secure Shell for HP-UX) or a commercial product from ssh.com.

-----------

For OpenSSH, the public key should be just one very long line of text. It should be copied into the authorized_keys file as is:

cat publickey.pub >> ~/.ssh/authorized_keys

If you need to allow access for multiple keys, just append all keys to the same file, one key per line.

If the public key is currently in multi-line format, you can use the import function of the OpenSSH ssh-keygen tool to convert it:

ssh-keygen -i -f multi-line-key.pub >> ~/.ssh/authorized_keys

-----------

For the ssh.com commercial product (Tectia SSH or whatever it's currently named), the key should be in multi-line format. In this case, the key file goes to the ~/.ssh directory (or ~/.ssh2 with some versions), and there should be a file named ~/.ssh/authorization (or ~/.ssh2/authorization), listing the name(s) of the key file(s), prefixed with the word "Key":

mv multi-line-key.pub ~/.ssh/
echo "Key multi-line-key.pub" >> ~/.ssh/authorization

If you need to allow multiple keys, that can be done by using multiple Key lines in the authorization file.

If the public key you've received is in single-line form, the ssh-keygen utility of the commercial SSH product should likewise have an import function that can convert the key to the correct form. Unfortunately I cannot recall the correct syntax for it.

-------------

Another point to check is file ownerships and permissions. The .ssh directory and the authorized_keys (or authorization) file must be protected so that only the owner of the account can write to it.

Likewise, the user's home directory cannot be writeable by anyone other than the user itself. If you need other users to be able to write files to the user's home directory, create a sub-directory under the user's home dir and arrange for the files to be written there.

MK
MK
Tim Nelson
Honored Contributor

Re: Secure shell (ssh)

If the syslog.log does not lead you to a solution then here is a quick basic list to check.

The incoming users public key must be put in the home directory of the user. e.g. /home/user1/.ssh/authorized_keys

The home directory of the user and the .ssh sub dir must be 700 permissions and the authorized_keys must be 600


otherwise have the user execute ssh with the -v option and post the output here....



Mark Parsons
Valued Contributor

Re: Secure shell (ssh)

I couldn't find anything in syslog. We are using Reflection ssh software which uses ssh2. The ssh2 folder looks like this:

# pwd
/data/lis/gdf/pro/dieg01p/.ssh2
# ls -la
total 40
drwx------ 3 dieg01p dsl 4096 Aug 6 09:03 .
drwxrwxr-x 8 dieg01p dsl 4096 Aug 5 15:14 ..
-rw------- 1 dieg01p dsl 22 Aug 6 09:09 authorization
drw-r--r-- 2 dieg01p dsl 96 Aug 5 15:15 hostkeys
-rw-r--r-- 1 dieg01p dsl 750 Aug 5 15:32 id_dsa_1024_a.pub
-rw-r--r-- 1 dieg01p dsl 512 Aug 5 15:15 random_seed
# cat auth*
Key id_dsa_1024_a.pub

The output from ssh -v is as follows (I think I now have a further problem in the fact that its tried to authenticate too many times)

C:\Program Files\F-Secure\Ssh>ssh2 -v dieg01p@10.64.132.35 'is -ia'
debug: Ssh2: Found user config file 'C:/Documents and Settings/ieadmin/Applicati
on Data/F-Secure SSH/ssh2_config'
debug: SshConfig: Read 1 params from config file.
debug: Connecting to 10.64.132.35, port 22... (SOCKS not used)
debug: client supports 3 auth methods: 'keyboard-interactive,publickey,password'

debug: Ssh2Common: local ip = 10.65.1.2, local port = 3323
debug: Ssh2Common: remote ip = 10.64.132.35, remote port = 22
debug: SshConnection: Wrapping...
debug: Remote version: SSH-2.0-OpenSSH_4.7p1+sftpfilecontrol-v1.2-hpn12v17
debug: OpenSSH: Major: 4 Minor: 7 Revision: 0
debug: Ssh2Transport: All versions of OpenSSH handle kex guesses incorrectly.
debug: Ssh2Transport: My version: SSH-1.99-3.2.3 F-Secure SSH Windows Client
debug: Ssh2Transport: lang s to c: `', lang c to s: `'
debug: Ssh2Transport: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common: Received SSH_CROSS_ALGORITHMS packet from connection protocol
.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthKbdInteractiveClient: Starting kbd-int auth...
Keyboard-interactive:
debug: Ssh2AuthKbdInteractiveClient: In Batchmode, so we're not asking the user
anything. (prompt: Your password was changed by root
Password: )
debug: Ssh2AuthKbdInteractiveClient: Sending response packet.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient: Starting pubkey auth...
debug: Ssh2AuthPubKeyClient: Agent is not running.
debug: Ssh2AuthPubKeyClient: Got 0 keys from the agent.
debug: SshUnixUserFiles: Found 4 keys from C:\Documents and Settings\ieadmin\App
lication Data\F-Secure SSH\userkeys
debug: SshUnixUserFiles: Found 0 certificates from C:\Documents and Settings\iea
dmin\Application Data\F-Secure SSH\UserCertificates
debug: Ssh2AuthPubKeyClient: adding keyfile "C:\Documents and Settings\ieadmin\A
pplication Data\F-Secure SSH\userkeys\GFIS_Production" to candidates
debug: Ssh2AuthPubKeyClient: adding keyfile "C:\Documents and Settings\ieadmin\A
pplication Data\F-Secure SSH\userkeys\hieg01u" to candidates
debug: Ssh2AuthPubKeyClient: adding keyfile "C:\Documents and Settings\ieadmin\A
pplication Data\F-Secure SSH\userkeys\id_dsa_1024_a" to candidates
debug: Ssh2AuthPubKeyClient: adding keyfile "C:\Documents and Settings\ieadmin\A
pplication Data\F-Secure SSH\userkeys\ireland" to candidates
debug: Ssh2AuthPubKeyClient: Trying 4 key candidates.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient: All keys declined by server, disabling method.
debug: Ssh2AuthClient: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthKbdInteractiveClient: Starting kbd-int auth...
Keyboard-interactive:
debug: Ssh2AuthKbdInteractiveClient: In Batchmode, so we're not asking the user
anything. (prompt: Your password was changed by root
Password: )
debug: Ssh2AuthKbdInteractiveClient: Sending response packet.
debug: Ssh2Common: DISCONNECT received: Too many authentication failures for die
g01p
warning: Authentication failed.
Disconnected; protocol error (Too many authentication failures for dieg01p).
debug: Ssh2Common: DISCONNECT received: Connection closed.
warning: Authentication failed.
Disconnected; connection lost (Connection closed.).

Kind Regards,

Mark Parsons.
OldSchool
Honored Contributor

Re: Secure shell (ssh)

Ok, I think what's happening is you're confusing the setup of OpenSSH (the UNIX side) with SSH2 (the Windows side)

IF this represents what you've done on the HPUX end, it doesn't appear correct:
=====================================================================
# pwd
/data/lis/gdf/pro/dieg01p/.ssh2
# ls -la
total 40
drwx------ 3 dieg01p dsl 4096 Aug 6 09:03 .
drwxrwxr-x 8 dieg01p dsl 4096 Aug 5 15:14 ..
-rw------- 1 dieg01p dsl 22 Aug 6 09:09 authorization
drw-r--r-- 2 dieg01p dsl 96 Aug 5 15:15 hostkeys
-rw-r--r-- 1 dieg01p dsl 750 Aug 5 15:32 id_dsa_1024_a.pub
-rw-r--r-- 1 dieg01p dsl 512 Aug 5 15:15 random_seed
# cat auth*
Key id_dsa_1024_a.pub
=====================================================================


On the hpux side, you should be using openSSH. In the $HOME directory, the layout should look something like this:

$ ls -ld .ssh
drwx------ 2 l00s7m system 512 Jul 03 2007 .ssh

$ pwd ; ls -l
/home/l00s7m/.ssh
total 3
-rw-r--r-- 1 l00s7m staff 441 Jul 14 11:33 authorized_keys
-rw-r--r-- 1 l00s7m system 629 Oct 29 2008 known_hosts


The authorized_keys file contains 1 (to many) public keys. This is/are the actual keys. You appear, instead, have simply inserted the filename, where the named file contains the key, which is not correct. Also, note the permissions, they are critical.
OldSchool
Honored Contributor

Re: Secure shell (ssh)

sorry, my prior post was based on having OpenSSH installed on HPUX. Which may or may not be correct. I didn't see anywhere where you stated what was running there.

OldSchool
Honored Contributor

Re: Secure shell (ssh)

and had I read closer, I'd have seen:

debug: Remote version: SSH-2.0-OpenSSH_4.7p1+sftpfilecontrol-v1.2-hpn12v17

I think my first post applies.
Mark Parsons
Valued Contributor

Re: Secure shell (ssh)

Issue now outdated.