[BBLISA] SSH2 to OpenSSH authentication

Stephen Revilak srevilak at speakeasy.net
Tue Feb 24 23:30:48 EST 2004 

> Date: Tue, 24 Feb 2004 19:41:04 -0500
> From: Betsy Schwartz <betsys at gsd.harvard.edu>
> To: bblisa at bblisa.org
> Subject: [BBLISA] SSH2 to OpenSSH authentication
>
> I'm having trouble getting passwordless authentication to work on SSH2. I'm
> testing on two servers that share an NIS-mounted directory, but it
> ultimately has to work for an offsite user who has SSH2)
>
> a) generated keys on the OpenSSH server with a blank passphrase
>            ssh-keygen -t dsa -f ~/.ssh/id_dsa
>                      copied id_dsa.pub to  .ssh/authorized_keys2   (on
> remote server)
>      At this point passwordless connection between two OpenSSH servers
> works great
>
> b) generated SSH2-style keys
>     ssh-keygen -e -f .ssh/id_dsa.pub > id_dsa_ssh2.pub
>    ssh-keygen -e -f .ssh/id_dsa > id_dsa_ssh2
>
>      copied id_dsa_ssh2.pub and id_dsa_ssh2 to .ssh2 directory (on remote
> server)
>      created .ssh2/authorization file
> containing:                                      ("" "")
>          Key id_dsa_ssh2.pub
>      created .ssh2/identification file
> containing:                                     ("""")
>          IdKey id_dsa_ssh2
>
> OpenSSH->SSH2 works. SSH2->OpenSSH, and SSH2-SSH2 want a password.  I've
> played around with running the server on a different port using -ddddd and
> running the client -v.

I had to set up a similar thing once upon a time.  I ended up doing
something similiar to the steps that you list above.  However, instead
of generating openssh keys and converting to ssh2, I only had luck
generating ssh2 keys and converting to openssh.  I don't know why that
made a difference, but it did.

FWIW, below are the notes I made.  Hopefully they'll work for you as
well.

------------------------------------------------------------------
run ssh-keygen from ssh2.  Let's suppose that the identity files were
stored in ~/.ssh2/id_dsa_1024_b (private key) and
~/.ssh2/id_dsa_1024_b.pub (public key)

Create ~/.ssh2/identitfication with the following:

  IdKey id_dsa_1024_b

Create ~/.ssh2/authorization with the following:

  Key id_dsa_1024_b.pub

chmod 700 ~/.ssh2
chmod 600 ~/.ssh2/*


The above takes care of hosts that *don't* use the openssh sshd.
Next, we have to handle the hosts that *do* use the openssh sshd.

mkdir ~/.ssh
cd ~/.ssh

convert the IETF SECSH key to an Openssh key

  /usr/local/bin/ssh-keygen -i > id_dsa
  # openssh ssh-keygen
  # enter ../.ssh2/id_dsa_1024_b when prompted

Now generate a public key for the openssh key

  /usr/local/bin/ssh-keygen -y > id_dsa.pub
  # enter ./id_dsa when prompted

Now make the key authorized

  cat id_dsa.pub >> authorized_keys2

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
------------------------------------------------------------------

More information about the bblisa mailing list