HPE Community
Operating System - HP-UX
1819901 Members
2621 Online
109607 Solutions
New Discussion юеВ

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

 
SOLVED
Go to solution
Tony Walker_2
Frequent Advisor

тАО05-15-2005 11:24 PM

тАО05-15-2005 11:24 PM

SSH1 (openssh) to SSH2 (f-Secure) - PKI?

Hi Guys,

I have 2 servers. 1 with the HP SSH tool (openssh) and one with the f-secure version. I can get PK logins from the ssh1 to ssh2 by generating my key, running ssh-keygen -e -f public.key and then importing this onto the ssh2 server. However, I cannot do the opposite to allow ssh2 to connect to ssh1 with the same conversion process. Anyone have any ideas - can this be done?

Cheers,

Tony
0 Kudos
Reply
9 REPLIES 9
Denver Osborn
Honored Contributor

тАО05-16-2005 01:42 AM

тАО05-16-2005 01:42 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

I've come across this once before where a customer was using fsecure and connecting to our boxes w/ openssh. Here's what I did to solve the problem...

I used ssh-keygen on the target box (openssh) to convert their pub-key from SSH to OpenSSH. This will add any new public keys to the authorized_keys file:

# ssh-keygen -f the_fsecure_id.pub -i >> .ssh/authorized_keys


Once this was done, my customer was able to connect using pubkey authentication.

Hope this helps,
-denver
Reply
Tony Walker_2
Frequent Advisor

тАО05-16-2005 02:21 AM

тАО05-16-2005 02:21 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

Thanks Denver. Although I had tried this conversion previously, the SSH2 server seems to have a requirement that its own public key must be loaded into an ssh-agent. Now I can get it to work. If you can advise a way of doing this without an agent I'd be grateful. I've got a feeling its something to do with the identification file...

Cheers,

Tony
0 Kudos
Reply
Denver Osborn
Honored Contributor

тАО05-16-2005 02:40 AM

тАО05-16-2005 02:40 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

What happens if you use "ssh -vvv -i ~/.ssh/your_id_file hostname" instead of the ssh-agent?

It might also help if you could post the "ssh -vvv" debug output for these problems you're seeing.

-denver
0 Kudos
Reply
Tony Walker_2
Frequent Advisor

тАО05-16-2005 02:44 AM

тАО05-16-2005 02:44 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

Denver - what details should be included in my your_id_file??
0 Kudos
Reply
Tony Walker_2
Frequent Advisor

тАО05-16-2005 02:47 AM

тАО05-16-2005 02:47 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

This is the output of ssh -vvv ssh1 host (without the agent running). It was the reference in this output to an agent which prompted me to try it in the first place..

debug: Connecting to bskysxe, port 22... (SOCKS not used)
debug: Ssh2Transport/trcommon.c:3753: My version: SSH-1.99-3.2.9 F-SECURE SSH 3.3.0
debug: client supports 3 auth methods: 'publickey,keyboard-interactive,password'
debug: Ssh2Common/sshcommon.c:587: local ip = 192.168.3.14, local port = 49751
debug: Ssh2Common/sshcommon.c:589: remote ip = 172.20.115.225, remote port = 22
debug: SshConnection/sshconn.c:1945: Wrapping...
debug: SshReadLine/sshreadline.c:2185: Initializing ReadLine...
debug: Remote version: SSH-2.0-OpenSSH_3.8
debug: OpenSSH: Major: 3 Minor: 8 Revision: 0
debug: Ssh2Transport/trcommon.c:972: All versions of OpenSSH handle kex guesses incorrectly.
debug: Ssh2Transport/trcommon.c:1376: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1441: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1444: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/sshcommon.c:379: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:429: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1818: Starting pubkey auth...
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1775: Agent is not running.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1573: Got 0 keys from the agent.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1689: adding keyfile "/home/user/.ssh2/user@host" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1553: Trying 1 key candidates.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:998: All keys declined by server, disabling method.
debug: Ssh2AuthClient/sshauthc.c:318: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:342: Starting kbd-int auth...
Keyboard-interactive:
Password:
Received signal 2. (no core)
0 Kudos
Reply
Denver Osborn
Honored Contributor

тАО05-16-2005 03:05 AM

тАО05-16-2005 03:05 AM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

The debug output shows

"All keys declined by server, disabling method.
debug: Ssh2AuthClient/sshauthc.c:318: Method 'publickey' disabled."


So that's telling us whatever pub keys it's presenting the target, aren't in the targets authorized_keys file. Too bad I'm not more familiar w/ F-Secure's SSH... but w/ OpenSSH the -i option can be used to specify the pub_key to use for authentication. Refer the man ssh on the f-secure box to checkout the syntax to see what options are used to specify identity file. w/ OpenSSH pub keys can also be added to the user's ~/.ssh/ssh_config file so they don't have to use the -i option for pubkeys. man ssh_config for details.

-denver
0 Kudos
Reply
Tony Walker_2
Frequent Advisor

тАО05-17-2005 07:20 PM

тАО05-17-2005 07:20 PM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

Thanks for your efforts Denver. As I can't afford to spend more time on this one I've stuck with the ssh-agent solution.

Cheers,

Tony
0 Kudos
Reply
Howard Palmer
Advisor

тАО07-17-2005 10:58 PM

тАО07-17-2005 10:58 PM

Solution

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

I had the same problem, the way to do it is to generate keys on both boxes as in the attached file
GTCI
Reply
Tony Walker_2
Frequent Advisor

тАО07-18-2005 06:58 PM

тАО07-18-2005 06:58 PM

Re: SSH1 (openssh) to SSH2 (f-Secure) - PKI?

Howard, thanks for the update. I managed to work this out a while ago and retained the .ssh2 directory structure on the F-secure server. Nice to have the procedure down though.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.