This gets LONG.... On Friday 01 August 2003 12:25, Bret Hughes wrote: > On Fri, 2003-08-01 at 10:04, System Administrator wrote: > > see below... > > > > On Thursday 31 July 2003 21:38, Bret Hughes wrote: > > > On Thu, 2003-07-31 at 18:07, System Administrator wrote: > > > > Yes, this is a perfect example of why we should 'just get rid of > > > > windows'. But.....that is not an option right now. > > > > > > > > I am trying to setup SSH with public-key encription to a RH8 box. I > > > > am running OpenSSH 3.4p2. All default setup. > > > > > > > > Of course the other *UX boxes manage just fine (thanks to a VERY good > > > > write-up from akadia.com). > > > > > > > > The Windows (NT,2000) systems, on the other hand, can't seem to get > > > > it right. I have tried ssh secure shell. I found writeups on the > > > > website. But it Didn't work. but not diags to see why. I try putty > > > > and geta message saying "Key is of wrong type (PuTTY SSH2 private > > > > key)" . If I look at the actual entry (authorized_keys) in the .ssh > > > > folder, it list the entry as "public key". Again I followed the > > > > documentation to generate the keys. At least I think I did. > > > > > > > > Any insights will be appreciated. > > > > -- > > > > > > Did do the key conversion before you put the public key in the other > > > host? Are you sure you generated a type 2 key? > > > > Yes and Yes. I actually went throught the process several times. The > > last time I made sure that I documented each step. > > > > > You really did not give us much to go on. > > > > If there is more info I can give to assist you "please" let me know. I > > see no security issues in providing the information. I have full scale > > code developement going on and they are using a makeshift document > > control setup until I can get this going. >
> Ok one caveat, I have only done this once from a W2000 box and have > slept since then. I have setup hundreds of openssh boxes though. > > Assumptions: > > The linux host is setup so that the same user can connect from another > linux box. User specific is important because perms on the > authorized_keys file can cause failures. Correct > > The windows generated public key has been converted to openssh format > and has been installed in the user's ~/.ssh/authorized_keys[2] file Correct, authorized_keys is the actual file. > > > The first thing I would do is put the ssh server into debug mode. > > If you can tell everyone to leave it alone for a minute: > > service sshd stop > > as root from a command prompt: > > sshd -d -d # additional -d for even more output > > This will put the server in a state that only one connection will be > processed and spit a bunch of stuff to stderr. > > try to connect from the windows box using whatever debug options exist > in the client. > > take a look at the output and see if you can tell what is going wrong. > > If not post the output to the list. someone here will be able to figure > it out. > > Bret Here's the output: The Good - Solaris 8 system OpenSSH User - clsonnt Debug output debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.0.116 port 3388 debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b debug1: no match: PuTTY-Release-0.53b debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 5336 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug2: monitor_read: 30 used once, disabling now debug1: Installing crc compensation attack detector. debug1: Attempting authentication for clsonnt. debug2: monitor_read: 6 used once, disabling now debug1: Starting up PAM with username "clsonnt" Could not reverse map address 192.168.0.116. debug1: PAM setting rhost to "192.168.0.116" debug2: monitor_read: 37 used once, disabling now debug1: PAM Password authentication for "clsonnt" failed[7]: Authentication failure Failed none for clsonnt from 192.168.0.116 port 3388 Connection closed by 192.168.0.116 debug1: Calling cleanup 0x8071320(0x0) debug1: Calling cleanup 0x8054a40(0x0) debug1: Calling cleanup 0x8071320(0x0) bash-2.05b# bash-2.05b# bash-2.05b# bash-2.05b# sshd -d -d debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.0.10 port 51881 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 5339 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug2: monitor_read: 0 used once, disabling now debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1594/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1594/3191 debug2: monitor_read: 4 used once, disabling now debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user clsonnt service ssh-connection method none debug1: attempt 0 failures 0 debug2: monitor_read: 6 used once, disabling now debug2: input_userauth_request: setting up authctxt for clsonnt debug1: Starting up PAM with username "clsonnt" debug1: PAM setting rhost to "iwapps1.iwapps.com" debug2: monitor_read: 37 used once, disabling now debug2: monitor_read: 3 used once, disabling now debug2: input_userauth_request: try method none debug1: PAM Password authentication for "clsonnt" failed[7]: Authentication failure Failed none for clsonnt from 192.168.0.10 port 51881 ssh2 Failed none for clsonnt from 192.168.0.10 port 51881 ssh2 debug1: userauth-request for user clsonnt service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 500/500 (e=0) debug1: trying public key file /home/clsonnt/.ssh/authorized_keys debug2: key_type_from_name: unknown key type '1024' debug2: user_key_allowed: check options: '1024 35 168346062990093741766698957867989269359901942991237790298079816079652766627925830228104054981742413633363214660996063308122517716101515271375760770476414753229257204755907969639656172245663928874811602525420996043935593641864973479851166496747708641340313055208876957903958154407115748745921210445287559542329 [EMAIL PROTECTED] ' debug2: key_type_from_name: unknown key type '35' debug2: user_key_allowed: advance: '35 168346062990093741766698957867989269359901942991237790298079816079652766627925830228104054981742413633363214660996063308122517716101515271375760770476414753229257204755907969639656172245663928874811602525420996043935593641864973479851166496747708641340313055208876957903958154407115748745921210445287559542329 [EMAIL PROTECTED] ' debug2: key_type_from_name: unknown key type 'Comment:' debug2: user_key_allowed: check options: 'Comment: "rsa-key-20030731"AAAAB3NzaC1yc2EAAAABJQAAAIB1XeNgMQtPLVBHeOPX7nClliPXUGkPCcvcWtitLDNq0ILV7XfEHrZDhJ9PCNJkEYNT34q3dtI1jnh6iaf30RiJ431x2IuLHhqCpwqUIwvm/VmG5otd25UjuyyI+KL8V3HkgiERk2liB1+neSIz7Il1pDVyX8D15s0KUSzihJbdBw== ' debug2: user_key_allowed: advance: '"rsa-key-20030731"AAAAB3NzaC1yc2EAAAABJQAAAIB1XeNgMQtPLVBHeOPX7nClliPXUGkPCcvcWtitLDNq0ILV7XfEHrZDhJ9PCNJkEYNT34q3dtI1jnh6iaf30RiJ431x2IuLHhqCpwqUIwvm/VmG5otd25UjuyyI+KL8V3HkgiERk2liB1+neSIz7Il1pDVyX8D15s0KUSzihJbdBw== ' debug1: restore_uid debug2: key not found debug1: temporarily_use_uid: 500/500 (e=0) debug1: trying public key file /home/clsonnt/.ssh/authorized_keys2 debug1: matching key found: file /home/clsonnt/.ssh/authorized_keys2, line 1 Found matching DSA key: e5:75:a5:19:f0:3b:1d:b0:f7:31:30:37:cc:76:57:2f debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for clsonnt from 192.168.0.10 port 51881 ssh2 debug1: userauth-request for user clsonnt service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 500/500 (e=0) debug1: trying public key file /home/clsonnt/.ssh/authorized_keys debug2: key_type_from_name: unknown key type '1024' debug2: user_key_allowed: check options: '1024 35 168346062990093741766698957867989269359901942991237790298079816079652766627925830228104054981742413633363214660996063308122517716101515271375760770476414753229257204755907969639656172245663928874811602525420996043935593641864973479851166496747708641340313055208876957903958154407115748745921210445287559542329 [EMAIL PROTECTED] ' debug2: key_type_from_name: unknown key type '35' debug2: user_key_allowed: advance: '35 168346062990093741766698957867989269359901942991237790298079816079652766627925830228104054981742413633363214660996063308122517716101515271375760770476414753229257204755907969639656172245663928874811602525420996043935593641864973479851166496747708641340313055208876957903958154407115748745921210445287559542329 [EMAIL PROTECTED] ' debug2: key_type_from_name: unknown key type 'Comment:' debug2: user_key_allowed: check options: 'Comment: "rsa-key-20030731"AAAAB3NzaC1yc2EAAAABJQAAAIB1XeNgMQtPLVBHeOPX7nClliPXUGkPCcvcWtitLDNq0ILV7XfEHrZDhJ9PCNJkEYNT34q3dtI1jnh6iaf30RiJ431x2IuLHhqCpwqUIwvm/VmG5otd25UjuyyI+KL8V3HkgiERk2liB1+neSIz7Il1pDVyX8D15s0KUSzihJbdBw== ' debug2: user_key_allowed: advance: '"rsa-key-20030731"AAAAB3NzaC1yc2EAAAABJQAAAIB1XeNgMQtPLVBHeOPX7nClliPXUGkPCcvcWtitLDNq0ILV7XfEHrZDhJ9PCNJkEYNT34q3dtI1jnh6iaf30RiJ431x2IuLHhqCpwqUIwvm/VmG5otd25UjuyyI+KL8V3HkgiERk2liB1+neSIz7Il1pDVyX8D15s0KUSzihJbdBw== ' debug1: restore_uid debug2: key not found debug1: temporarily_use_uid: 500/500 (e=0) debug1: trying public key file /home/clsonnt/.ssh/authorized_keys2 debug1: matching key found: file /home/clsonnt/.ssh/authorized_keys2, line 1 Found matching DSA key: e5:75:a5:19:f0:3b:1d:b0:f7:31:30:37:cc:76:57:2f debug1: restore_uid debug1: ssh_dss_verify: signature correct debug2: pam_acct_mgmt() = 0 Accepted publickey for clsonnt from 192.168.0.10 port 51881 ssh2 debug1: monitor_child_preauth: clsonnt has been authenticated by privileged process debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss Accepted publickey for clsonnt from 192.168.0.10 port 51881 ssh2 debug2: mac_init: found hmac-md5 debug2: mac_init: found hmac-md5 debug2: User child is on pid 5340 debug1: PAM establishing creds debug1: PAM setcred failed[15]: Authentication service cannot retrieve user credentials debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: lastlog_openseek: Couldn't open /var/log/lastlog: Permission denied debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/3 debug1: Ignoring unsupported tty mode opcode 11 (0xb) debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM setting tty to "/dev/pts/3" debug1: PAM establishing creds debug1: PAM setcred failed[15]: Authentication service cannot retrieve user credentials debug1: fd 4 setting TCP_NODELAY debug1: channel 0: rfd 10 isatty debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. The Bad - WinNT system PuTTY 0.53b User - clsonnt Debug output debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.0.116 port 3388 debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b debug1: no match: PuTTY-Release-0.53b debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 5336 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug2: monitor_read: 30 used once, disabling now debug1: Installing crc compensation attack detector. debug1: Attempting authentication for clsonnt. debug2: monitor_read: 6 used once, disabling now debug1: Starting up PAM with username "clsonnt" Could not reverse map address 192.168.0.116. debug1: PAM setting rhost to "192.168.0.116" debug2: monitor_read: 37 used once, disabling now debug1: PAM Password authentication for "clsonnt" failed[7]: Authentication failure Failed none for clsonnt from 192.168.0.116 port 3388 Connection closed by 192.168.0.116 debug1: Calling cleanup 0x8071320(0x0) debug1: Calling cleanup 0x8054a40(0x0) debug1: Calling cleanup 0x8071320(0x0) -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
