RE: keys not recognized in Unixware --> RedHat Connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you.  

I didn't realize that putting the passphrase in the key meant you would
always be asked for it.  I make dozens of connections from this Unixware box
to this and other similarly configured RedHat servers (which requires its
own ssh passphrase for me to get into) every day and typing this passphrase
was getting very old.  Now, by creating keys without passphrases, this step
is eliminated.

I find, though, that I cannot accomplish the same on the connection from my
Windows PC to the initial Unixware box (using the Attachmate application).
On that connection, a key with a passphrase is accepted when I type the
passphrase, but a key without a passphrase is rejected.    Is this
controlled by the ChallengeResponseAuthentication configuration parameter
(which is yes on the Unixware box and no on the Linux boxes)?  

If so, then I would say that the ChallengeResponseAuthentication comment in
the standard sshd_config file is a little confusing.  That comment is:

# Change to no to disable s/key passwords

This is confusing since it seems that what is actually being disabled here
is logon via keys WITHOUT passphrases.

 

-----Original Message-----
From: Dan Nelson [mailto:dnelson@xxxxxxxxxxxxxxx] 
Sent: Thursday, September 25, 2008 10:06 PM
To: COHEN, STEVEN M (ATTSI)
Cc: secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: keys not recognized in Unixware --> RedHat Connection

In the last episode (Sep 25), COHEN, STEVEN M (ATTSI) said:
> I am trying to connect via ssh from a box running UnixWare 5 7.1.3 
> which has OpenSSH installed at version OpenSSH_5.0p1, OpenSSL 0.9.8g
> 19 Oct 2007 to a box running Linux 2.6.9-78.0.1.EL #1 Tue Jul 22
> 17:50:01 EDT 2008 which has OpenSSH installed at version 
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003.
> 
> I find that the keys generated on the Unixware box are not accepted on 
> the Linux box.  This authentication always fails and I am forced to 
> type the passphrase in every time.
> 
> I did the following (using non-standard key name since I did not want 
> to mess up existing connectivity):
> 
> $ ssh-keygen -t dsa -f id_dsa2
> Generating public/private dsa key pair.
> Enter passphrase (empty for no passphrase): 
> Enter same passphrase again: 
> Your identification has been saved in id_dsa2.
> Your public key has been saved in id_dsa2.pub.
> The key fingerprint is: ...

Ok, so at this point (assuming you did enter a passphrase here; you didn't
say) you have an SSH key with a passphrase required to decrypt the private
half...
 
> Then, I copied id_dsa2.pub to the Linux box.
> 
> and did the following on that box
> 
> $ mv authorized_keys authorized_keys.bak $ cp id_dsa2.pub 
> authorized_keys
> 
> Then, back on unixware box, I do the following
> 
> $ ssh -v -i id_dsa2 ip2
> OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to ip2 [xx.xx.xx.xx] port 22.
> debug1: Connection established.
> debug1: identity file id_dsa2 type 2
> debug1: Remote protocol version 2.0, remote software version 
> OpenSSH_3.9p1
> debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.0
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'ip2' is known and matches the RSA host key.
> debug1: Found key in /home/myusername/.ssh/known_hosts:3
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: id_dsa2
> debug1: Server accepts key: pkalg ssh-dss blen 433
> debug1: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown> Enter passphrase for 
> key 'id_dsa2':
> debug1: No more authentication methods to try.
> Permission denied (publickey).

.. and here, you are prompted for that passphrase so your ssh client can
sign the public key and send the signature to the remote server, so the
remote server will authenticate you (see
openssh/sshconnect2.c:sign_and_send_pubkey for the details).  Until that
happens, all the remote server knows is that you /might/ have the private
half of a public key that's in its authorized_keys file.
 
> If I had entered my passphrase I would have gotten in.
> Can someone explain why this happens?

Because your private key is encrypted with a passphrase.  If you want to be
able to log in without entering a passphrase for your private key, either a)
run ssh-agent so you only have to enter the passphrase once, or b) remove
the passphrase on that private key.

-- 
	Dan Nelson
	dnelson@xxxxxxxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux