HPE Community
Operating System - HP-UX
1820592 Members
1725 Online
109626 Solutions
New Discussion юеВ

OpenSSH guru needed for HPUX to Windows sftp

 
Rita C Workman
Honored Contributor

тАО04-29-2009 09:08 AM

тАО04-29-2009 09:08 AM

OpenSSH guru needed for HPUX to Windows sftp

Second time typing this...
It is one thing to do SSH for HPUX-2-HPUX, another for HPUX-2-Windows.

Me, the HPUX client.
Them, the Windows server running GlobalScale SFTP software, that says it accepts OpenSSH code.

I managed to finally get it to update my accounts known_host file. But I can't seem to get it past that.
They provided me with public & private keys. Have tried both rsa and dsa. Here is the latest debug log, you will note that it DEMANDS the passphrase and password. And yes, they even gave me them. But on keying it - it still fails. Take a look:
===================================
ebug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/brickstr/./.ssh/id_rsa (00000000)
debug2: key: /home/brickstr/./.ssh/id_dsa (00000000)
debug3: input_userauth_banner
GlobalSCAPE Secure FTP Server (v. 3.2)debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/brickstr/./.ssh/id_rsa
debug3: no such identity: /home/brickstr/./.ssh/id_rsa
debug1: Trying private key: /home/brickstr/./.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type Enter passphrase for key '/home/brickstr/./.ssh/id_dsa':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/brickstr/./.ssh/id_dsa':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
debug2: bad passphrase given, try again...
Enter passphrase for key '/home/brickstr/./.ssh/id_dsa':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
debug2: bad passphrase given, try again...
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password brickstr@securetransfer.tymetrix360.com's password:
debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug2: we sent a password packet, wait for reply Authenticated with partial success.
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug1: No more authentication methods to try.
Permission denied (publickey).
Connection closed
$
======================================
I would greatly appreciate any thoughts or ideas anyone might have on this.

Thanks,
Rita
0 Kudos
18 REPLIES 18
Steven Schweda
Honored Contributor

тАО04-29-2009 10:40 AM

тАО04-29-2009 10:40 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

> OpenSSH guru needed [...]

Until you find one...

_Which_ HP-UX? "uname -a"? "ssh -V"? Or
were you looking for a _psychic_ guru?

> Take a look:

And what would I be looking at?

> They provided me with public & private keys.

I can't see them. Do they have the same
format as keys you've created on HP-UX?

There are two popular key file formats,
OpenSSH and SSH2. They differ.

> debug3: no such identity: /home/brickstr/./.ssh/id_rsa

I gather that that one's not there. With my
weak psychic powers, I can't see what's in
your "~/.ssh" directory, either.

> debug1: Trying private key: /home/brickstr/./.ssh/id_dsa
> debug1: PEM_read_PrivateKey failed

That looks bad. If you do the same sort of
SSH command to a working HP-UX system, does
it do that? Around here (guessing that you
tried "ssh -v [...]"), I see things more like
this:

[...]
debug1: Trying private key: /root/.ssh/id_dsa
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
[...]

This suggests a problem with the "id_dsa" key
file. No bets, but the request for a
passphrase, which, I assume, was not
expected, could be caused by a bad key file
confusing the SSH client.

If you do have SSH2 key files, try "man
ssh-keygen", and look for "-i".

> [...] they even gave me them. [...]

Were you expecting to need either?
0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 11:14 AM

тАО04-29-2009 11:14 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

So they gave you a private and public file. Did you put the private key in your .ssh folder. Also what did you name it? And does the windows server have the public key setup for your account. I am not sure that an ssh guru would be what you need. You really need someone who knows the GlobalScale SFTP software. Personally I would have just thrown openssh on the windows box. One issue i can think of ie the format of the key. Openssh and ssh.com have different formats. You may look into that.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 11:16 AM

тАО04-29-2009 11:16 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Are you sure that name is correct? I tried googling GlobalScale SFTP software and only see this thread making that reference in the results.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Rita C Workman
Honored Contributor

тАО04-29-2009 11:23 AM

тАО04-29-2009 11:23 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Hi Steven,

Which HP-UX?
HPUX 11.11, sorry I should know better than doing that.

Take a look?
Your looking at partial of the sft debug output log.

Pub & Priv Keys
They created using their Windows GlobalScape software. I'm guessing SSH2, based on what I've read in some of their site documentation.
>>>Have since discovered if I try to run ssh-keygen -i -f it fails.
But if I run ssh-keygen on it works and populates the authorized_keys file.

And both private and public files were there, it is as though they simply refuse to read, but it does, cause if I change the permissions to something to high - I get a security warning msg regarding the files.
>>>If I leave only the private key, it runs through ignores the file & stops asking for passphrase & password. Which it rejects and disconnects.
If I leave only the public key - it runs through ignores the file & stops and asks only for the password (no passphrase request).
So it's seeing them, not really accepting them (and they provided the keys) and attempting other authentication requests - which it still rejects.

Your right....it doesn't look good to me either.

Any other thoughts.........
Rita
0 Kudos
Rita C Workman
Honored Contributor

тАО04-29-2009 11:24 AM

тАО04-29-2009 11:24 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

See above...typo, it should be GlobalScape

/rcw
0 Kudos
Rita C Workman
Honored Contributor

тАО04-29-2009 11:31 AM

тАО04-29-2009 11:31 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Court,

Yes I put the keys in the /.ssh directory.

And like I said, it's so much easier when I can control the setup at both sides. Unfortunately, I have been tasked with setting this up for automated transfer (secure and encrypted) to sftp with this company's Windows FTP server. Which is not our box.

/rcw
0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 11:33 AM

тАО04-29-2009 11:33 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

If you have access to a windows box you may try downloading puttygen and converting the file to openssh format. Changing the perms on the file would not affect this. Newer versions of openssh check the permissions of the .ssh directory and fail if the perms are not correct.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Rita C Workman
Honored Contributor

тАО04-29-2009 11:42 AM

тАО04-29-2009 11:42 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Court,


I thought the import command of ssh-keygen would read a file in SSH2 format and print an OpenSSH private key.
That is what I was trying to accomplish with the ssh-keygen -i -f >

Now I'm no SSH guru, which is why I posted for better minds to get some help...

Here our Windows PC's are locked down, so I can't just download software without jumping through a couple hoops first.

Let me know,
Thanks,
Rita
0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 11:43 AM

тАО04-29-2009 11:43 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

I guess I should be a little more specific. StrictModes is usually on by default anymore. But I am not sure how, or if, that woks with globalscape.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 11:50 AM

тАО04-29-2009 11:50 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

I really think this is a key format issue. I would definitely start there first.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Rita C Workman
Honored Contributor

тАО04-29-2009 11:51 AM

тАО04-29-2009 11:51 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Me neither, so I'll pick this up again tomorrow.

Thanks,
Rita

0 Kudos
Court Campbell
Honored Contributor

тАО04-29-2009 12:01 PM

тАО04-29-2009 12:01 PM

Re: OpenSSH guru needed for HPUX to Windows sftp

You may have to have the other company send you an openssh version of the private key.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Steven Schweda
Honored Contributor

тАО04-29-2009 12:29 PM

тАО04-29-2009 12:29 PM

Re: OpenSSH guru needed for HPUX to Windows sftp

> That is what I was trying to accomplish
> with the ssh-keygen -i -f
> >

Can't see what was in , can't
see what went into , can't see
what "" really is. Don't know
which (public/private) was.

> [...] it fails.

Don't know what "it" is, can't tell what
"fails" means here.

As usual, showing actual commands with their
actual output can be more helpful than vague
descriptions and interpretations.

Potential clues:

One of my SSH2 key public files includes this
text:

---- BEGIN SSH2 PUBLIC KEY ----
[... multiple 70-character lines ...]
---- END SSH2 PUBLIC KEY ----

A corresponding OpenSSH public key file looks
more like:

ssh-dss [... one long line of stuff ...]

The private key files look more similar, but
still differ.
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-29-2009 01:19 PM

тАО04-29-2009 01:19 PM

Re: OpenSSH guru needed for HPUX to Windows sftp

The Windows server admins sent you a _private_ key???

It's not supposed to work that way. The theory is that the side that is going to actively establish a connection (apparently you) should create his/her own SSH key pair and send only the _public_ key to the admin of the other side.

Ideally the private key is generated by the user that needs it, on the host where it's needed. The only valid reasons for moving the private key are backups and migration of the user to another server. Certainly your private key should always stay on systems and media that is controlled by you (or your organization).

While there are only two well-known formats for the SSH2 public key and conversion between the two is simple, the private key file format is not so well standardized.
I know of at least three different SSH private key file formats (OpenSSH, ssh.com and PuTTY .ppk) and fully expect that other SSH client authors have invented more formats. Converters between these formats may or may not exist.

You should not waste too much effort in trying to convert the private key file you received into a format that is understandable by OpenSSH. Unless you received the key using some secure transmission method (encrypted email, or hand-delivery) you should regard it as potentially compromised and untrustworthy anyway.

The only obvious use I see for the public key you received is that you can examine it to identify the SSH public key format their software uses. As Steven already described: if the file has multiple lines, it uses ssh.com style key format and you should convert your OpenSSH style public key to that format (with e.g. "ssh-keygen -e -f ~/.ssh/id_rsa.pub > id_rsa_sshcom_format.pub") before sending it.
If their public key is one long line of text, the public key format is OpenSSH and no conversion is necessary.

Instead create your own SSH key pair ("ssh-keygen -t rsa" for a RSA-type keypair, or "ssh-keygen -t dsa" for DSA respectively). If necessary, convert the public key, then send it to the Windows admins to be installed into their system.

MK
MK
0 Kudos
Court Campbell
Honored Contributor

тАО04-30-2009 04:29 AM

тАО04-30-2009 04:29 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

You can't use ssh-keygen to change a ssh.com private key. You really just need to ask the company to send you an openssh formatted key, or create a key yourself and send them and ssh.com formatted public key.

But still if you can get access to a windows machine and use puttygen, you could change it yourself.

http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#puttygen-conversions
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Steven E. Protter
Exalted Contributor

тАО04-30-2009 04:58 AM

тАО04-30-2009 04:58 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

Shalom Rita,

puttygen creates a key truncated by carriage returns. You need to remove them before the key is useful to permit access to a Unix by ssh key.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Rita C Workman
Honored Contributor

тАО05-01-2009 09:36 AM

тАО05-01-2009 09:36 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

I didn't forget this....I got it working.

Seems that GlobalScape will read OpenSSH, but in the end how the keys were being created from their (Window's) side didn't bode well here. My thought, getting their keys via email (you know ascii) probably corrupted them, and the vendor agreed.

So, all my talking to their staff came to nothing until he heard it by the vendor to basically do what I suggested. [..somewhat annoying when the other side won't listen until he hears it from someone else..]

Anyway, I created the keys on my (yes my HPUX) box, fresh and new with a simple (ssh-keygen -t rsa) and NO passphrase; reset the permissions to 600 for the id_rsa.pub key. Then I sftp'd into their box, using the password they gave me temporarily to get in, and dropped the public key file only.

Came back out, he then changed his side to just be looking for key authentication and I reconnected using sftp and voila I was there on his Windows box - dropped a couple testfiles and came out. All good!

So, without having to do any kind of conversion or import/export, we got it working.

I have a headache now...
Thanks to all and points a coming!
Rita
0 Kudos
Rita C Workman
Honored Contributor

тАО05-01-2009 09:40 AM

тАО05-01-2009 09:40 AM

Re: OpenSSH guru needed for HPUX to Windows sftp

I have assigned points to the many great suggestions given.
Gave anywhere from 2 (for alot of ideas) to 5 for single suggestions.

It's working....so I can finally get some coffee and something for my headache and close this task.

It is so much easier to sftp HPUX-2-HPUX.

Regards to All !!

Thread Closed

Rita
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.