HPE Community
Operating System - HP-UX
1833059 Members
2431 Online
110049 Solutions
New Discussion

Differences between SSH versions on HP-UX 11iv2

 
SOLVED
Go to solution
Jamie A Dennis
Frequent Advisor

‎03-26-2009 06:05 AM

‎03-26-2009 06:05 AM

Differences between SSH versions on HP-UX 11iv2

Hello,

I've seen several threads similar to this, but nothing addressing this specifically.

We have an HP-UX 11.23 server which serves as a jump server to other HP-UX servers. This server runs Tectia SSH:

server_a# ssh -V

ssh: SSH Tectia Server 4.1.0 on
Build: 34
Released 2004-06-07 (YYYY-MM-DD).
Crypto library version: SSH Cryptographic Library, version 1.2.4
FIPS certification mode: DISABLED
Product: SSH Tectia Server

This server CAN ssh without password to other servers in the environment which are running this version of SSH:

server_b# ssh -V

OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.50.021, HP-UX Secure Shell version

and works on this version:
server_d# ssh -V
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.007, HP-UX Secure Shell version

but it can NOT ssh without password to servers running this version:

server_c# ssh -V

OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1, OpenSSL 0.9.7m 23 Feb 2007
HP-UX Secure Shell-A.05.00.022, HP-UX Secure Shell version

What we see when we ssh from server_a to server_c is the following: (using ssh -vvv server_c)

debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1766: Starting pubkey auth...
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1722: Agent is not running.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1513: Got 0 keys from the agent.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1293: Trying to add external certificate, key count = 0.
debug: SshUnixUserFiles/sshunixuserfiles.c:366: Using '/.ssh2/identification' as identity file.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1634: adding keyfile "/.ssh2/admin" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1634: adding keyfile "/.ssh2/admin_openssh" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1493: Trying 2 key candidates.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:876: All keys declined by server, disabling method.
debug: SshProtoAuthClient/sshauthc.c:317: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPasswdClient/authc-passwd.c:247: Starting password query...
root's password:

Nothing has changed with server_a or server_b. We use the same keys to distribute to other servers to enable "trusted root", and it has worked great until we got the release of SSH that server_c is using. I don't think it is a permissions problem as the perms are the same on the working and non-working.

Has anyone else experienced this situation? If so, what advice can you give on this?

Thanks, and best regards,

Jamie
"If hindsight is 20/20, why don't more people use their rearview mirrors?" - James (Jamie) A. Dennis, 1998
0 Kudos
7 REPLIES 7
Ganesan R
Honored Contributor

‎03-26-2009 06:18 AM

‎03-26-2009 06:18 AM

Solution

Re: Differences between SSH versions on HP-UX 11iv2

Hi,

Though you confirmed not the permission issue, did any chance the SSH version changed the existing permissions?

Could you verify the following permissions?

Home directory should have 755 permission (users home directory)
$HOME/.ssh directory should have 700 permission
$HOME/.ssh/authorized_keys file should have 600 permission
Best wishes,

Ganesh.
0 Kudos
Steven E. Protter
Exalted Contributor

‎03-26-2009 06:23 AM

‎03-26-2009 06:23 AM

Re: Differences between SSH versions on HP-UX 11iv2

Shalom,

These problems are typically ownership/permission issues on the configuration files in .ssh directory or the directory itself.

The following document contains the information you need to correct this:
http://www.hpux.ws/?p=10

I have never used the third party server you also tried, because openssh (HP calls it secure shell) has always worked just fine for me.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Jamie A Dennis
Frequent Advisor

‎03-26-2009 06:32 AM

‎03-26-2009 06:32 AM

Re: Differences between SSH versions on HP-UX 11iv2

As I mentioned in my post, the permissions are the same on both the working and non-working servers, so I don't think this is a permissions issue. I believe it to be a problem with ssh version : HP-UX Secure Shell-A.05.00.022, HP-UX Secure Shell version. All servers which are having this issue are using this version, all others are working fine.
"If hindsight is 20/20, why don't more people use their rearview mirrors?" - James (Jamie) A. Dennis, 1998
0 Kudos
Ivan Krastev
Honored Contributor

‎03-26-2009 06:38 AM

‎03-26-2009 06:38 AM

Re: Differences between SSH versions on HP-UX 11iv2

Check sshd_config files for the key authentication methods. See in log:
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:876: All keys declined by server, disabling method.
debug: SshProtoAuthClient/sshauthc.c:317: Method 'publickey' disabled.


regards,
ivan
0 Kudos
Ivan Krastev
Honored Contributor

‎03-26-2009 06:43 AM

‎03-26-2009 06:43 AM

Re: Differences between SSH versions on HP-UX 11iv2

And see this in the release notes here - http://docs.hp.com/en/T1471-90032/ch01s06.html

HP-UX Secure Shell user authentication using public-key fails in a server environment if UsePAM is set to YES and pam.conf is set to PAM_LDAP.

Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell environments that use public-key authentication with PAM_LDAP-based account management.

regards,
ivan

0 Kudos
Jamie A Dennis
Frequent Advisor

‎03-26-2009 10:38 AM

‎03-26-2009 10:38 AM

Re: Differences between SSH versions on HP-UX 11iv2

Ok, I sit corrected. Ganesan, you had the right solution, and Stephen, you were correct as well.

My apologies for doubting the solution. I was so focused on the .ssh2 directory permissions and the files themselves that I overlooked item 1 on your list.

1. Home directory should have 755 permission (users home directory)
2. $HOME/.ssh directory should have 700 permission
3. $HOME/.ssh/authorized_keys file should have 600 permission

The KEY item in your solution was the users home directory. I changed it to 755 (with NO other changes) and ssh worked from my jump server to server_c. I changed the perms back to 775, it failed.

I'm a little puzzled as to why that item is the key to the entire solution, especially when you can see in the debug that it adds the files to the list of candidates, but then fails due to permissions on the users home directory. But what the heck, a solution is a solution.
"If hindsight is 20/20, why don't more people use their rearview mirrors?" - James (Jamie) A. Dennis, 1998
0 Kudos
Jamie A Dennis
Frequent Advisor

‎03-26-2009 10:41 AM

‎03-26-2009 10:41 AM

Re: Differences between SSH versions on HP-UX 11iv2

Thanks to all who answered this thread. Cheers!
"If hindsight is 20/20, why don't more people use their rearview mirrors?" - James (Jamie) A. Dennis, 1998
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.