[BBLISA] SSH2 to OpenSSH authentication
Sean Lutner
sean at rentul.net
Wed Feb 25 13:12:09 EST 2004
Overall, there's a lot orf variables you've gotta worry about.
But one specific thing that recently bit me in the ass was a "feature" of Sun's SSH (which is based on OpenSSH, btw).
The standard is to use ~/.ssh/authorized_keys for version one keys and ~/.ssh/authorized_keys2 for version two keys, right? right, at least with OpenSSH
Sun, in their infinite wisdom, decided to ignore authorized_keys2, and use authorized_keys for all types of auth v1 or v2. So for going from OpenSSH to a SunSSH box, make sure all your keys are in a authorized_keys file.
Sean
On Tue, Feb 24, 2004 at 07:41:04PM -0500, Betsy Schwartz wrote:
>
> I'm having trouble getting passwordless authentication to work on
> SSH2. I'm testing on two servers that share an NIS-mounted directory,
> but it ultimately has to work for an offsite user who has SSH2)
> a) generated keys on the OpenSSH server with a blank passphrase
> ssh-keygen -t dsa -f ~/.ssh/id_dsa
> copied id_dsa.pub to .ssh/authorized_keys2 (on
> remote server)
> At this point passwordless connection between two OpenSSH servers
> works great
> b) generated SSH2-style keys
> ssh-keygen -e -f .ssh/id_dsa.pub > id_dsa_ssh2.pub
> ssh-keygen -e -f .ssh/id_dsa > id_dsa_ssh2
> copied id_dsa_ssh2.pub and id_dsa_ssh2 to .ssh2 directory (on
> remote server)
> created .ssh2/authorization file
> containing: ("" "")
> Key id_dsa_ssh2.pub
> created .ssh2/identification file
> containing: ("""")
> IdKey id_dsa_ssh2
> OpenSSH->SSH2 works. SSH2->OpenSSH, and SSH2-SSH2 want a password.
> I've played around with running the server on a different port using
> -ddddd and running the client -v.
> Client:
>
> debug: Ssh2Client/sshclient.c:1097/ssh_client_wrap: creating
> userauth protocol
> debug: Ssh2Client/sshclient.c:399/keycheck_key_match: Host key
> found from database.
> debug:
> Ssh2AuthPubKeyClient/authc-pubkey.c:330/ssh_client_auth_pubkey_send
> _signature: Constructing and sending signature...
> debug:
> Ssh2AuthPubKeyClient/authc-pubkey.c:423/ssh_client_auth_pubkey_send
> _signature: ssh_client_auth_pubkey_send_signature: reading
> /home/username/.ssh2/id_dsa_ssh2
> Passphrase for key "/home/username/.ssh2/id_dsa_ssh2" with comment
> "1024-bit DSA, converted from OpenSSH by username at hostname":
>
> Server excerpt:
>
> debug1: trying public key file /home/username/.ssh/authorized_keys2
> debug3: secure_filename: checking '/home/username/.ssh'
> debug3: secure_filename: checking '/home/username'
> debug3: secure_filename: terminating check at '/home/username'
> debug1: matching key found: file
> /home/username/.ssh/authorized_keys2, line 1
> Found matching DSA key: <DSA key appears here>
> debug1: restore_uid: 0/1
> debug3: mm_answer_keyallowed: key 7fac8 is allowed
> debug3: mm_request_send entering: type 21
> debug3: mm_request_receive entering
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
> Postponed publickey for username from 128.103.zzz.zzz port 52477
> ssh2
>
> Thanks for any clue bonks
> Betsy
> PS FWIW the OpenSSH box is Solaris 7 and the SSH2 box is Solaris 8.
> I've also got a couple Solaris 9 boxes running Sun SSH. I can go from
> them to OpenSSH but not vice versa.
> PPS: we're getting there with OpenSSH but it's slow going, mainly
> because of SSL. And the box that has to work with this isn't mine.
>
> Betsy Schwartz
> email: betsys at gsd.harvard.edu
> Unix Systems Administrator,CRG voice:
> 617-495-5947
> Harvard Graduate School of Design fax:
> 617-496-5866
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
--
Sean Lutner | www: http://www.rentul.net
e-mail: sean at rentul.net | gpg: http://www.rentul.net/sean.sig
"Imagination is more important than knowledge." -- Albert Einstein
More information about the bblisa
mailing list