HPE Community
Operating System - HP-UX
1753808 Members
7660 Online
108805 Solutions
New Discussion

Questions regarding SFTP and SSH certificates

 
SOLVED
Go to solution
Paul Maglinger
Regular Advisor

‎08-10-2011 01:09 PM

‎08-10-2011 01:09 PM

Questions regarding SFTP and SSH certificates

I'm running into what I see to be a mess with SFTP to another company.  We want to be able to use SFTP without authentication, so I created public keys and sent those over to them.  Everything worked for awhile and then stopped.  It began asking for a password again and the other company asked that I resend the public keys.  I did, but it made no difference.  It's still prompting for password.  Searching around, I found reference where I could delete the entry from the known_hosts file and it would prompt for the key again.  The trouble is that there are more than one entries in the known_hosts file and I don't see a way to determine which is the offending entry.  I have thought about generating another key, but don't understand if the new key would be the same as the old one, or completely different.  My fear is that if I generate another key that the other SFTP sites that we are using would stop working.  Can someone shed some light on SSH certificates and SFTP?

0 Kudos
Reply
17 REPLIES 17
Jeff_Traigle
Honored Contributor

‎08-10-2011 02:28 PM

‎08-10-2011 02:28 PM

Re: Questions regarding SFTP and SSH certificates

The key that is inserted in known_hosts is the host key. From the description you've given, that doesn't appear to be the problem. It sounds like a server-side issue. They've done any number of things that could result in the key authentication failure, reverting back to keyboard-interactive. Permissions could be too lax on the .ssh directory or on the authorized_keys file... they could have changed the configuration to look for authorized keys in a different file than where they are saving the keys... they could have disabled public key authentication entirely in sshd_config...

 

Some clues might be obtained by getting verbose output from sftp with the -v option.

--
Jeff Traigle
Reply
Steven Schweda
Honored Contributor

‎08-10-2011 08:35 PM

‎08-10-2011 08:35 PM

Re: Questions regarding SFTP and SSH certificates

 
0 Kudos
Reply
Paul Maglinger
Regular Advisor

‎08-11-2011 07:20 AM

‎08-11-2011 07:20 AM

Re: Questions regarding SFTP and SSH certificates

-v gives the following:

 

(server:myuser)[/user01/myuser] sftp -v mycompany@ftp.theircompany.com
Connecting to ftp.theircompany.com...
OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.50.021, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to ftp.theircompany.com [###.###.###.###] port 22.
debug1: Connection established.
debug1: identity file /user01/myuser/.ssh/id_rsa type 1
debug1: identity file /user01/myuser/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ftp.theircompany.com' is known and matches the RSA host key.
debug1: Found key in /user01/myuser/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /user01/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Offering public key: /user01/myuser/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

 

So what I'm seeing is that it's trying the id_rsa.pub key, then the id_dsa.pub key, and both of them failing then asking for the password from the keyboard?  I have resent those keys to them, but this still fails.  So it's a problem on their side, correct?

0 Kudos
Reply
boukari
Frequent Advisor

‎08-11-2011 09:35 AM - edited ‎08-11-2011 09:57 AM

‎08-11-2011 09:35 AM - edited ‎08-11-2011 09:57 AM

Re: Questions regarding SFTP and SSH certificates

Hello,

Do you using ' Passphrase ' when u creating the ssh key ?

generally , when we use passphrase, even authentification succeed u need anytime to type passphrase to access.

 

for more information take a look in attached doc .

automated SFTP

Regards,

 

BCS SW/HW GSC Engineer (L1)
IEEE Student Member
LPI 3 CORE & High Availability
VCP Vshpere 5 Datacenter
Novell CLA and Data Center specialist Certified
.....
Microsoft Partner & Microsoft student Partner
0 Kudos
Reply
Paul Maglinger
Regular Advisor

‎08-11-2011 12:34 PM

‎08-11-2011 12:34 PM

Re: Questions regarding SFTP and SSH certificates

No passphrase was used in the generation of these keys.

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎08-11-2011 07:48 PM

‎08-11-2011 07:48 PM

Re: Questions regarding SFTP and SSH certificates

 
Reply
Paul Maglinger
Regular Advisor

‎08-12-2011 07:25 AM

‎08-12-2011 07:25 AM

Re: Questions regarding SFTP and SSH certificates

Yep.  Sent both files to them.  So...  If I generate new keys on my end they will be different that the first keys, or is key generation based on some system constant and will be the same as the first?

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎08-12-2011 08:14 AM

‎08-12-2011 08:14 AM

Re: Questions regarding SFTP and SSH certificates

Have them check the logs on the remote system.  That should also provide some clues.  From what has been described, I don't think the problem is with your keys.

Reply
Steven Schweda
Honored Contributor

‎08-12-2011 10:53 AM

‎08-12-2011 10:53 AM

Re: Questions regarding SFTP and SSH certificates

 
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.