Hello,
I have been looking into setting up openssh-2.1.0.p2 to allow some secure
remote operations to occur between our Sun systems (solaris 7 and 8) and my
linux box (redhat 6.1). No real problems with that and it all seemed to work
fine. To get secure copying of files via cron to work I had to create some
keys with no passphrase, and it all worked fine.
I then noticed in the FAQ about the fact that ssh protocol 1 wasn't being
worked on and that it would be best to move to using ssh2 (i.e. openssh
configured for protocol 2 in our case). Fair enough since we were just
starting with this, so it would be best to do it now rather than later. So I
spent yesterday doing that - renaming files; creating DSA keys, etc.
I now get some error messages when trying to use ssh (protocol 2). when I
try running it interactively with the '-v' option I get:
(top bit snipped)
debug: bits set: 538/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: key does not exist: /usr/local/exim/.ssh/id_dsa
Permission denied (publickey,password).
debug: Calling cleanup 0x4e618(0x0)
debug: writing PRNG seed to file /usr/local/exim/.ssh/prng_seed
debug: Calling cleanup 0x48f5c(0x0)
It is true that 'id_dsa' does not exist for this account since I didn't
create a key for the 'account' itself. It simply has to specific keys
located in their own files. Under ssh1 (with RSA) this worked fine; it used
the identity files I had specified on the command line with the '-i' option.
Under ssh2 it seems to insist on one for the account. But if I create that
I'd have to give it a blank passphrase (since this is running via cron) and
that doesn't seem like a good idea.
Reading the man page for ssh, I created a config file for the account and
specified 'IdentityFile2'. This seemed better but still gives an error:
(top bit snipped)
debug: bits set: 508/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: try pubkey: /usr/local/exim/.ssh/adbkcp2ops
debug: read DSA private key done
debug: sig size 20 20
debug: authentications that can continue: publickey,password
Permission denied (publickey,password).
debug: Calling cleanup 0x4e618(0x0)
debug: writing PRNG seed to file /usr/local/exim/.ssh/prng_seed
debug: Calling cleanup 0x48f5c(0x0)
As can be seen the adbkcp2ops identity file is recognised, but I still get
the 'Permission denied' error. BTW I have disabled password authentication
so the DSA keys must be used.
In this case ssh should be trying to access root on the local system with
the specified key. Root has the key configured into its authorized_keys2
file with the 'command=' option. As said, it all worked fine using protocol
1. If it is any use, when I telnet to port 22 on the host I get:
SSH-2.0-OpenSSH-2.1
Anyone any ideas about this?
A couple of other minor questions whilst I'm here :-)
1) The local systems where openssh is to be used (initially at least) have
no users as such but are used by local computing staff. Is there anyway of
enforcing that ssh is used for, for example, accessing the systems as root.
At present this is done over the local network in the clear by logging in as
themselves and then su'ing to root - hence the password goes over the net in
the clear. If I just disabled telnet and su then I'd probably get lynched :-)
2) I'd like to setup remote backups of some of our systems, again via cron.
I gather that this can be done, but am unsure how. I thoguht I saw somewhere
about piping ssh into ufsdump? Does that sound right? I haven't looked into
this very much as yet, but if someone could point me in the right direction
then I'd be grateful. All the Sun's are backed up using Sun's ufsdump
command.
Thanks,
John.
--------------------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]
PGP key available from public key servers
