Re: ssh from HP-UX to windows 2000 server asking for password

tom quach_1 · ‎03-26-2007

Hi All,

i've tried to configure ssh from HP-UX 11.11 to connect to windows 2000 server with passwordless but unsuccessful.
in windows 2000 i have a free openssh installed.
i did run this command from windows
keygen -t rsa
and append this id_rsa.pub to the file authorized_keys on HP-UX server,
but it was always asking for the password and would let me connected to windows 2000 sewrver with a password.

Please advice as how i can solve this problem.
if this can not be done. how can i add the password using script when it prompts for a password.

Thanks in advance.
Tom

Steven Schweda · ‎03-26-2007

Have you installed the required key file(s)
on the Windows system?

Output from "ssh -v [...]" might be helpful.

Peter Nikitka · ‎03-26-2007

Hi,

to achive a passwordless connection from HP-UX to your win2000 server you'll have to exchange the keys the other way round:
append the id_rsa.pub of your HP server into the authorized_keys of your PC!

mfG Peter

The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"

tom quach_1 · ‎03-26-2007

Hi Steven,
what key file(s) are we talking about here.
the windows 2000 server has openssh installed as ssh server.

Peter-i did try your method but it still asking for a password.
from HP-UX :
$ssh-keygen -t rsa and copied the id_rsa.pub
to windows 2000 server under .ssh folder and rename it to 'authorized_keys'
my HP-UX is a client and windows 2000 server is a ssh server.
--DO I NEED TO CREATE PRIVATE KEY?
THANKS IN ADVANCE.
TOM

HERE IS THE DEBUG FILE
$ssh -v sundc3
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to sundc3 [10.10.2.23] port 22.
debug1: Connection established.
debug1: identity file /home/batchus/.ssh/id_rsa type 1
debug1: identity file /home/batchus/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sundc3' is known and matches the RSA host key.
debug1: Found key in /home/batchus/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

****USAGE WARNING****

This is a private computer system. This computer system, including all
related equipment, networks, and network devices (specifically including
Internet access) are provided only for authorized use. This computer system
may be monitored for all lawful purposes, including to ensure that its use
is authorized, for management of the system, to facilitate protection against
unauthorized access, and to verify security procedures, survivability, and
operational security. Monitoring includes active attacks by authorized entities
to test or verify the security of this system. During monitoring, information
may be examined, recorded, copied and used for authorized purposes. All
information, including personal information, placed or sent over this system
may be monitored.

Use of this computer system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject you to criminal
prosecution. Evidence of unauthorized use collected during monitoring may be
used for administrative, criminal, or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batchus/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/batchus/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
batchus@sundc3's password:
Connection closed by 10.10.2.23
sunuxdev:[batchus]:/home/batchus
$ssh -v sundc3
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to sundc3 [10.10.2.23] port 22.
debug1: Connection established.
debug1: identity file /home/batchus/.ssh/id_rsa type 1
debug1: identity file /home/batchus/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sundc3' is known and matches the RSA host key.
debug1: Found key in /home/batchus/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

****USAGE WARNING****

This is a private computer system. This computer system, including all
related equipment, networks, and network devices (specifically including
Internet access) are provided only for authorized use. This computer system
may be monitored for all lawful purposes, including to ensure that its use
is authorized, for management of the system, to facilitate protection against
unauthorized access, and to verify security procedures, survivability, and
operational security. Monitoring includes active attacks by authorized entities
to test or verify the security of this system. During monitoring, information
may be examined, recorded, copied and used for authorized purposes. All
information, including personal information, placed or sent over this system
may be monitored.

Use of this computer system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject you to criminal
prosecution. Evidence of unauthorized use collected during monitoring may be
used for administrative, criminal, or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batchus/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/batchus/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
batchus@sundc3's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Mon Mar 26 13:14:47 2007 from 10.10.4.19
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings>

Steven Schweda · ‎03-26-2007

> debug1: Next authentication method: password

That's where it has tried (and gotten
rejections for) both your key-pairs.

As Peter Nikitka said, you need the private
key on the system where you're sitting, and
the corresponding public key on the system
to which you're trying to connect. If the
mystery is where to put the (public) key
file(s) on the Windows system, then I should
be entirely useless from here on out.

Presumably, if it's OpenSSH on the Windows
side, at least the key file formats should be
the same (or so I'd hope).

Rasheed Tamton · ‎03-26-2007

Hi Tom,

You have to do vice versa. You have to generate the keys from hp-ux box and add the public (.pub) key on the windows server, if you want to login from hp-ux to windows.

With your current setup as you mentioned (if everything is ok such as the permissions, etc.) you would be able to ssh from windows to hp-ux.

Regards,
Rasheed Tamton.

tom quach_1 · ‎03-26-2007

Thanks steven & Rasheed

do i need to run from hp-ux both these command
$ssh-genkey -t rsa
$ssh-genkey -t dsa

and copy the id_rsa.pub to windows2000 server and rename it to authorized_keys.

i did generate the key from hp-ux as is_rsa.pub
and copied it to windows and rename it to authorized_keys but still asking for the password.
Please advice.
TOm

Rasheed Tamton · ‎03-26-2007

Hi Tom,

It is enough to run one command (rsa).
You have to put the pub key under the .ssh or .ssh2 dir (depending on your ssh version).

chmod 644 authorized_keys

Permissions are also important and ssh is sensitive with it.

Also check your authorization file name on windows side - may be it should be authorized_keys2 or authorization , etc.

Check the sshd_config file whether this and any related items are commented out.
If so, uncomment and restart the sshd service on windows box.

Regards,
Rasheed Tamton.

tom quach_1 · ‎03-30-2007

Thanks for your help,

it does not matter which way i put in the keys,
it always ask for the password and this password is windows password.
Is there a way for me to put the password in a script when do ssh.

Thanks,
Tom

Court Campbell · ‎03-30-2007

Tom,

where to begin? as mentioned earlier you only need to create one public key private key pair. the private key is for you and you only. the public key is for every other machine that you want to logon to password-less. During the key creation process you are usually asked to provide a passphrase for the key. if you put a passphrase you will have to enter that passphrase when you want to ssh to other boxes. if you leave it blank you will just be logged in. you should create a passphrase in my opinion. the benefit is that the passphrase will never change, but your winodws password may change depending on how your passowrd security model is setup.

once you have the public key you need to put it in either the .ssh/authorized_key or .ssh/authorized_key2 file. As mentioned above it depends on what is defined in your sshd_config file. Not sure where that is located on the openssh version ported to windows.

lastly, i would suggest logging into your windows server with a password. then find out what directory tou are in. I mean are you dropped under your home directory under c:\documnets and settings, or are you just placed under c:\. that is most likely where you need to create a directory name .ssh and create the authorized keys file.

also on your hp-ux box you should have your private key named id_rsa and located under $HOME/.ssh/. this is the default. but you could use the -i option to the ssh command and put the path to your private key.

Anyway I hope that helps.

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"

Bill Hassell · ‎03-30-2007

The original description of the problem is ssh from windows to HP-UX, so the only step on the HP side is to append the key generated on the windows side to the HP-UX side. First, appending the public key sounds very simple but it is often corrupted by the append steps. The authorized_keys file MUST be 600 permission, owned by the user. Then, each key is exactly one line long. Unfortunately, editing programs like vi attempt to fold long lines, as well as other text display programs. In vi, turn off auto-indent and word-wrap with :set noai wm=0

Then paste the text into the authorized_keys file. The file must have exactly one line for every key. Use wc -l to count the lines. Make sure you are pasting the public key, not the private key. Some keygen code on PCs is very low on docs and explanations.

Then the ssh command from windows will need a user name for the HP-UX side

Bill Hassell, sysadmin

tom quach_1 · ‎03-30-2007

Thanks Bill for the reply,

But my probem is ssh from HP-UX to windows.
i did generated a public key from HP-UX and pasted into .ssh/authorized_keys in windows
but still asking for pasword.
so now my question:
does anyone know the syntax to put password in a script.

ssh -l tom windows_server
this line will prompt for a password.
how can i make it read a password from a file and connect me to windows server.

Thank you,
Tom

Steven Schweda · ‎03-30-2007

I don't suppose that you've tried generating
a set of key files on the Windows system, and
comparing them with the files you copied over
from the HP-UX system. It might be
educational.

Without being able to see your files, how you
created them, where you put them, and so on,
it's difficult to guess what's going wrong.

Rasheed Tamton · ‎03-30-2007

Hi Tom,

It is unfortunate that it still not solved. Can you clarify your setup there. Are you using a pure windows ssh or do you use openssh on cygwin.

We all are using ssh to access win-to-unix and unix-to-win for years. So somewhere something is wrong.

You have to make sure that you put the authorized_keys file in the correct homedir/.ssh of the user on the windows box. Get the .pub key from the hp-ux box and add it on the authroized_keys file on windows.

Normally the authorized_keys file will be c:\Documents and Settings\tom\.ssh or \home\tom\.ssh on windows as per your setup.

How about do the following:
Do the below on the windows box only
1. Recreate a new authorized_keys file again (and paste the .pub key from the hp-ux box from the home dir/.ssh of the hp-ux user)
2. check the permission of the files/dir
cat authorized_file (tom@hp-uxbox will be the last word of the authorized_keys file on windows box)

Do ssh -v -l tom windowsbox -- from hp-ux

if does not work,
Do again on windows box
1.cat id_rsa.pub >> authorized_keys (we are trying to do the passwordless from win to win to test )
2. ssh -v -l tom localhost
3. ssh -v -l tom windowsbox

Please let us know the result.

Regards,
Rasheed Tamton.

Rasheed Tamton · ‎03-30-2007

Hi Tom,

Please see the link.

http://www.askdavetaylor.com/automating_ssh_with_a_shell_script.html

Regards,
Rasheed Tamton.

tom quach_1 · ‎04-02-2007

Thank you for your helps.

i did try generating public key from windows and copied the public key to authorized_keys under
c:\documents and settings\tom\.ssh
then ssh to itself.

c:\ssh -l tom sundc3
and it connected without a password.
but when generate the key from UNIX and copied to to authorized_keys on windows.
and connecting from UNIX to windows. It always asking for a password.
just to mention that from windows side, when created password and group, I selected local user.

Thanks in advance.
Tom

Rasheed Tamton · ‎04-03-2007

>just to mention that from windows side, when created password and group, I selected local user.

After WinNT's age, I have not administered a single windows box. Are there any local policies on Win box that will prevent this. If so, just disable the policies.

I am just trying to troubleshoot by using different methods:

Verify that ssh from hp-ux to hp-ux box by the same method you tried above on the windows.

On hp-ux box:
cat id_rsa.pub >> authorized_keys
(use the id_ras.pub of the same hp box on the same box)

Then
ssh -v -l tom hp-ux

Regards,
Rasheed Tamton.

tom quach_1 · ‎04-04-2007

Thanks Rasheed,

i gave up on the Openssh and downloaded the trial version from Sysax and it works well.
will buy this one it costs only less than hundred dollars but saves me lot of time.

Thank you,
Tom

tom quach_1 · ‎04-04-2007

Thank you all for your helps!
Tom

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ssh from HP-UX to windows 2000 server asking for password

ssh from HP-UX to windows 2000 server asking for password