0 Replies Latest reply: Feb 17, 2013 10:27 PM by 984266 RSS

    key exchange in open ssh

    984266
      Hi all,

      Question 1:

      it is a hard time for me for the SSH key exchange, I am using f-secure ssh rsit and tectia ssh before and I need to switch back to open ssh.

      Requirement: user1@local ssh to user2@remote

      please correct me if I am wrong:

      In remote server
      ====================
      (Lines required in /etc/sshd_config):

      root@remote $ grep -i aut sshd_config |grep -v ^#
      SyslogFacility auth
      MaxAuthTries 6
      MaxAuthTriesLog 3
      PasswordAuthentication yes
      PAMAuthenticationViaKBDInt yes
      RhostsAuthentication no
      RhostsRSAAuthentication no
      RSAAuthentication yes
      PubkeyAuthentication yes
      AuthorizedKeysFile .ssh/authorized_keys
      root@remote $


      root@remote $ su - user2
      user2@remote $ cd .ssh
      user2@remote $ ls -lrt
      total 4
      -rw-r--r-- 1 user2 user 230 May 28 2012 known_hosts
      -rwxr--r-- 1 user2 user 222 Feb 18 11:18 autorized_keys
      user2@remote $ cat autorized_keys
      ssh-rsa *******************
      ***********************
      ******************** user1@local
      user2@remote $
      (the above is the RSA key is from user1@lcoal)
      ======================

      In Local server
      ======================
      user1@loacl $ ls -lrt
      total 14
      -rw-r--r-- 1 user1 user 223 Feb 18 10:47 known_hosts
      -rw------- 1 user1 user 887 Feb 18 11:09 id_rsa
      -rw-r--r-- 1 user1 user 222 Feb 18 11:09 id_rsa.pub
      -rw-r--r-- 1 user1 user 13 Feb 18 11:21 identification
      -rw------- 1 user1 user 887 Feb 18 11:30 identity
      user1@local $ cat identification
      idKey id_rsa
      user1@local $ cat identity
      -----BEGIN RSA PRIVATE KEY-----
      XXXX
      XXXXX
      XXXX
      XXXX
      -----END RSA PRIVATE KEY-----
      user1@local $
      ======================


      It can't ssh using public key:
      user1@local $ ssh -v user2@192.168.2.142
      Sun_SSH_1.1.4, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
      debug1: Reading configuration data /etc/ssh/ssh_config
      debug1: Rhosts Authentication disabled, originating port will not be trusted.
      debug1: ssh_connect: needpriv 0
      debug1: Connecting to 192.168.2.142 [192.168.2.142] port 22.
      debug1: Connection established.
      debug1: identity file /export/home/user1/.ssh/identity type -1
      debug1: identity file /export/home/user1/.ssh/id_rsa type 1
      debug1: identity file /export/home/user1/.ssh/id_dsa type -1
      debug1: Logging to host: 192.168.2.142
      debug1: Local user: user1 Remote user: user2
      debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.4
      debug1: match: Sun_SSH_1.1.4 pat Sun_SSH_1.1.*
      debug1: Enabling compatibility mode for protocol 2.0
      debug1: Local version string SSH-2.0-Sun_SSH_1.1.4
      debug1: use_engine is 'yes'
      debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetr ic ciphers
      debug1: pkcs11 engine initialization complete
      debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
      Unknown code 0
      )
      debug1: SSH2_MSG_KEXINIT sent
      debug1: SSH2_MSG_KEXINIT received
      debug1: kex: server->client aes128-ctr hmac-md5 none
      debug1: kex: client->server aes128-ctr hmac-md5 none
      debug1: Peer sent proposed langtags, ctos: af-ZA,ar-EG,ar-SA,bg-BG,bn-IN,ca-ES,cs-CZ,d a-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-IN,en-MT,en-NZ, en-SG,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE ,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,gu-IN,he-IL,hi-I N,hr-HR,hu-HU,id-ID,is-IS,it,it-IT,ja-JP,kk-KZ,kn-IN,ko,ko-KR,lt-LT,lv-LV,mk-MK,mr-IN, ms-MY,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl -SI,sq-AL,sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,uk-UA,zh,zh-CN,zh-HK,zh-SG,zh-TW,ar,c a,cz,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,th,tr,i-default
      debug1: Peer sent proposed langtags, stoc: af-ZA,ar-EG,ar-SA,bg-BG,bn-IN,ca-ES,cs-CZ,d a-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-IN,en-MT,en-NZ, en-SG,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE ,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,gu-IN,he-IL,hi-I N,hr-HR,hu-HU,id-ID,is-IS,it,it-IT,ja-JP,kk-KZ,kn-IN,ko,ko-KR,lt-LT,lv-LV,mk-MK,mr-IN, ms-MY,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl -SI,sq-AL,sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,uk-UA,zh,zh-CN,zh-HK,zh-SG,zh-TW,ar,c a,cz,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,no-NY,nr,pt,sr-SP,sr-YU,th,tr,i-default
      debug1: We proposed langtags, ctos: i-default
      debug1: We proposed langtags, stoc: i-default
      debug1: Negotiated lang: i-default
      debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
      debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
      debug1: Remote: Negotiated main locale: C
      debug1: Remote: Negotiated messages locale: C
      debug1: dh_gen_key: priv key bits set: 126/256
      debug1: bits set: 1562/3191
      debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
      debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
      debug1: Host '192.168.2.142' is known and matches the RSA host key.
      debug1: Found key in /export/home/user1/.ssh/known_hosts:1
      debug1: bits set: 1598/3191
      debug1: ssh_rsa_verify: signature correct
      debug1: newkeys: mode 1
      debug1: set_newkeys: setting new keys for 'out' mode
      debug1: SSH2_MSG_NEWKEYS sent
      debug1: expecting SSH2_MSG_NEWKEYS
      debug1: newkeys: mode 0
      debug1: set_newkeys: setting new keys for 'in' mode
      debug1: SSH2_MSG_NEWKEYS received
      debug1: done: ssh_kex2.
      debug1: send SSH2_MSG_SERVICE_REQUEST
      debug1: got SSH2_MSG_SERVICE_ACCEPT


      <<MOTD>>
      |-----------------------------------------------------------------|

      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
      debug1: Next authentication method: gssapi-keyex
      debug1: Next authentication method: gssapi-with-mic
      debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
      Unknown code 0
      )
      debug1: Next authentication method: publickey
      debug1: Trying private key: /export/home/user1/.ssh/identity
      debug1: read PEM private key done: type RSA
      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
      debug1: Trying public key: /export/home/user1/.ssh/id_rsa
      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
      debug1: Trying private key: /export/home/user1/.ssh/id_dsa
      debug1: Next authentication method: keyboard-interactive
      Password:
      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
      debug1: Next authentication method: keyboard-interactive
      Password:
      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
      Password:
      debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
      debug1: No more authentication methods to try.
      Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
      debug1: Calling cleanup 0x34d88(0x0)
      user1@local $


      please help!!!

      Question 2:
      =========
      One more question, in f-secure ssh rsit and tectia ssh, we can make use of authrization file and identification file to have a mulitple key, since open ssh is not using these 2 files, how we manage?