Sftp Key Authentication Issue


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Sftp Key Authentication Issue
# 1  
Old 05-15-2009
Sftp Key Authentication Issue

Hello,

We have an issue attempting to login from a Unix Solaris to an NT server using key authentication. I will attempt to provide you with as much of the relevant information regarding the way the system is set up, although I'm workingin solely on the Unix side, so don't have full access to how the NT server is set up.

The version of ssh that we're running is:-

bash-3.00$ ssh2 -V
ssh2: F-Secure-SSH-2.3.1 (build 7) on sparc-sun-solaris2.8

The public/private keys that I created (with no passphrase) are in the following format:-

bash-3.00$ more batchftp_uat.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: genevaz
Comment: "2048-bit rsa, genevaz@nsufu351, Wed Apr 29 2009 16:02:21"
AAAAB3NzaC1yc2EAAAABIQAAAQEArY1INXO1O1OYKMftSSqWMu0yCEth4RxZWbLgDfyh9j
...etc...
HyzYkalbK0IxCTwxILud5dmhVDj4C0w9eCiP7DJF9+Fvk7eq6hwTfsCZxrJO9RPPxTGjds
3acg4fKft64II8QpOYVw==
---- END SSH2 PUBLIC KEY ----
bash-3.00$ more batchftp_uat
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: genevaz
Comment: "2048-bit rsa, genevaz@nsufu351, Wed Apr 29 2009 16:02:21"
P2/56wAAA+oAAAA0aWYtbW9kbntzaWdue3JzYS1wa2NzMS1tZDV9LGVuY3J5cHR7cnNhLX
...etc...
eBjpNEZbOg1KIyDyvPLcKqDypisoenOLd1wZSgdB5QptSE0qI7v4GawDJ9jAU5Sz/e3eeI
TWFGjR
---- END SSH2 ENCRYPTED PRIVATE KEY ----

These are both in the .ssh2 directory of the account that I'm connecting from. Also in that directory are the following files:-

bash-3.00$ more identification
IdKey batchftp_uat
bash-3.00$ more authorization
key batchftp_uat.pub

Below is the output of what happens (with maximum debug) when I attempt to login to the remote server:-

bash-3.00$ sftp -D 99 "hnah\svc-us-sftp-hbeuie@mxssh01"
SshEventLoop/sshunixeloop.c:412: Registered signal 1.
SshEventLoop/sshunixeloop.c:412: Registered signal 2.
SshEventLoop/sshunixeloop.c:412: Registered signal 15.
SshEventLoop/sshunixeloop.c:412: Registered signal 6.
SshEventLoop/sshunixeloop.c:412: Registered signal 22.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 0.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 1.
SshEventLoop/sshunixeloop.c:412: Registered signal 20.
SshFSM/sshfsm.c:479: Spawning a new thread starting from `finalize_initialization'.
SshFSM/sshfsm.c:243: Added ptr afbcc ('finalize_initialization') to hash table.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:596: Starting the event loop.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshFSM/sshfsm.c:326: Entering the scheduler.
SshFSM/sshfsm.c:381: Thread continuing from state `finalize_initialization' (Finalize initialization).
SshFSM/sshfsm.c:243: Added ptr af28c ('get_command') to hash table.
SshFileCopy/sshfilecopy.c:909: Making local connection.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshFSM/sshfsm.c:462: Reactivating an already active thread (do nothing).
SshFSM/sshfsm.c:381: Thread continuing from state `get_command' (Prepare to read a command from user).
SshFSM/sshfsm.c:243: Added ptr af38c ('command_open') to hash table.
SshFSM/sshfsm.c:381: Thread continuing from state `command_open' (Open a connection to destination host).
SshFSM/sshfsm.c:243: Added ptr af3e8 ('command_finalize_open') to hash table.
SshFileCopy/sshfilecopy.c:928: Connecting to remote host. (host = hnah\svc-us-sftp-hbeuie@mxssh01, user = (null), port = (null))
Sftp2/sftp2.c:2390: argv[0] = ssh2
Sftp2/sftp2.c:2390: argv[1] = -v
Sftp2/sftp2.c:2390: argv[2] = -x
Sftp2/sftp2.c:2390: argv[3] = -a
Sftp2/sftp2.c:2390: argv[4] = -o
Sftp2/sftp2.c:2390: argv[5] = passwordprompt %U@%H's password:
Sftp2/sftp2.c:2390: argv[6] = -o
Sftp2/sftp2.c:2390: argv[7] = nodelay yes
Sftp2/sftp2.c:2390: argv[8] = -o
Sftp2/sftp2.c:2390: argv[9] = authenticationnotify yes
Sftp2/sftp2.c:2390: argv[10] = hnah\svc-us-sftp-hbeuie@mxssh01
Sftp2/sftp2.c:2390: argv[11] = -s
Sftp2/sftp2.c:2390: argv[12] = sftp
SshEventLoop/sshunixeloop.c:412: Registered signal 18.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 5.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 4.
Sftp2/sftp2.c:2206: notification: 0
SshFSM/sshfsm.c:397: Thread suspended in state `command_finalize_open'.
SshFSM/sshfsm.c:367: No active threads so return from scheduler.
SshEventLoop/sshunixeloop.c:738: Select timeout: 0 seconds, 0 usec.
SshEventLoop/sshunixeloop.c:797: Select.
Sftp2/sftp2.c:2206: notification: 1
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:738: Select timeout: 0 seconds, 0 usec.
SshEventLoop/sshunixeloop.c:797: Select.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:797: Select.
debug: hostname is 'mxssh01'.
debug: Unable to open /home/users/genevaz/.ssh2/ssh2_config
debug: connecting to mxssh01...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:107: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:107: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1105: creating userauth protocol
debug: Ssh2Common/sshcommon.c:489: local ip = 128.8.73.35, local port = 36290
debug: Ssh2Common/sshcommon.c:491: remote ip = 161.4.55.155, remote port = 22
debug: SshConnection/sshconn.c:1853: Wrapping...
debug: Ssh2Transport/trcommon.c:591: Remote version: SSH-2.0-6.0.1.16 SSH Tectia Server
debug: Ssh2Transport/trcommon.c:1095: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1098: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Client/sshclient.c:399: Host key found from database.
debug: Ssh2Common/sshcommon.c:297: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:347: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:780: adding keyfile "/home/users/genevaz/.ssh2/batchftp_uat" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:331: Constructing and sending signature...
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:425: ssh_client_auth_pubkey_send_signature: reading /home/users/genevaz/.ssh2/batchftp_uat
debug: Ssh2AuthPasswdClient/authc-passwd.c:82: Starting password query...
hnah\svc-us-sftp-hbeuie@mxssh01's password:

As you'll see it prompts for a password - if I enter the password, I can login to the server successfully. So, my main questions are, can you see anything that's not set up correctly on the Unix side? If not, what can I get the admin guy on the NT side to check? Also, when I attempt to login, should there be any logfiles that shows my connection, and why it's not authenticating correctly? If so, where are the located?

Please let me know if there's any other information that would help us to solve this issue.

Thanks in advance,

Steve Burch
# 2  
Old 05-17-2009
1. You should not publish keys - your system is now wide open
2. In unix the keys go in the home directory of the user under the .ssh directory -- permissions on .ssh == 700.
3. The user's home directory should not be world writable.

Last edited by jim mcnamara; 05-17-2009 at 08:09 PM..
# 3  
Old 05-18-2009
Hi Jim,

Thanks for your feedback - I only though my system would be wide open if I'd published the whole keys, but I do stand to be corrected.

My understanding was that it was only Openssh that would use the .ssh directory, whereas the F-Secure version used .ssh2. I did actually remove the .ssh directory completely, and it didn't make any difference regarding connectivity.

The user's home directory is 755, so isn't writable by the world.

I can only assume the issue is on the NT server side, and believe I'll just have to set up the interface with a password built in.

Thanks,

Steve
# 4  
Old 05-28-2009
Hi,

After some assistance from the NT server support guys, it appears that the public key that I have sent them is in the wrong format (there's a KnowledgeBase article, ID 31930, posted on the ssh support website about key incompatibity) - according to one article, the following command should be run:-
Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the F-Secure SSH client) to OpenSSH (the format supported by OpenSSH servers). To do this, follow these steps:
1. On the command line, change to the .ssh directory in your user account.
2. Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace publickeyname.pub with the name of your public key:
ssh-keygen -i -f publickeyname.pub >>authorized_keys
My questions on this are:-
1. On which server is this meant to be run - the Unix or Windows?
2. It mentions .ssh directory, whereas the Windows server has a .ssh2 directory.
3. Is there a utility I can run this on the Unix server before transferring it to the Windows server. The options that I have are:-
bash-3.00$ ssh-keygen -help
Usage: ssh-keygen [options] [key1 key2 ...]
Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-e file Edit the comment/passphrase of the key.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-1 Convert a SSH 1.x key. (not implemented)
-i file Load and display information on `file'.
-D file Derive the private key given in 'file' to public key.
-B number The number base for displaying key information (default 10).
-V Print ssh-keygen version number.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.
Does anyone have any further input on this that may help me?

Thanks in advance,

Steve

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

SSH key authentication problem with 2 servers

hi All, this issue is regarding ssh key authentication, although i have performed this activity on two separate servers, now i have to configure the same again on 2 more servers. i did everything what i did earlier but this time i am getting some error, and i am unable to understand what exactly... (2 Replies)
Discussion started by: lovelysethii
2 Replies

2. UNIX for Advanced & Expert Users

[Solved] SSH key authentication problem

Hi All, this is the very first time i am going to use SSH authentication. first i login to server@ and under this ..ssh directory of servera i used this following command: ssh-keygen -t rsa -b 1024 and i had 2 files(bravo_dbtest and bravo_dbtest.pub) created respectively, further i copied the... (13 Replies)
Discussion started by: lovelysethii
13 Replies

3. Red Hat

ssh private key passwordless authentication

Hello, Need a suggestion to setup private key passwordless authentication. I am not sure this can done or not :wall: here is the sincerio I have two servers, sever1 with a user "user1" and servera with usera here dataflow: usera from servera, will pull/push files to server1 on user1... (2 Replies)
Discussion started by: bobby320
2 Replies

4. UNIX for Advanced & Expert Users

Is SSH Key Authentication Disabled?

I setup passwordless authentication on a Ubuntu vm by ssh'ing into the localhost. I'm trying to do the same thing on another machine but it's not working. I believe I have the permissions setup properly and keygen'd. Is there a way to disable passwordless authentication? I have permission to... (4 Replies)
Discussion started by: MaindotC
4 Replies

5. HP-UX

Error while doing key based authentication

We are trying to do a key exchange from Sun solaris server to HP UNIX server. Errro we are getting is as below:- sshd2: connection from "10.13.240.6" sshd2: auths-pam: PAM subprocess returned packet SSH_PAM_OP_ERROR. (err_num: 32, err_msg: General Commercial Security error) sshd2: User... (4 Replies)
Discussion started by: sandipmandal
4 Replies

6. Solaris

Solaris 8 ssh public key authentication issue - Server refused our key

Hi, I've used the following way to set ssh public key authentication and it is working fine on Solaris 10, RedHat Linux and SuSE Linux servers without any problem. But I got error 'Server refused our key' on Solaris 8 system. Solaris 8 uses SSH2 too. Why? Please help. Thanks. ... (1 Reply)
Discussion started by: aixlover
1 Replies

7. Red Hat

SSH Public key Authentication Issue

Hi All; I have an issue with password less authentication via ssh ( v2) I have two servers Server A and Server B, following are the server details Server A OS - HP UX B.11.11 U 9000/800 SSH - OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005 HP-UX Secure Shell-A.04.30.000, HP-UX... (3 Replies)
Discussion started by: maverick_here
3 Replies

8. Shell Programming and Scripting

ssh key based authentication - force

Hi Team, we have problem with sftp. Though SA team has setup the keys between 2 server, sftp still prompts for the password. After many attempt to rectify the problem, SA has asked us force the SSH key based authentication by using following command. sftp2 --indetity="folder/private_key"... (6 Replies)
Discussion started by: ace_friends22
6 Replies

9. Shell Programming and Scripting

Disable SSH key authentication

Hello Guys, I need your help. I am trying to create a script to change password for multipls servers but having problem when it comes to ssh key authentication. Does anyone have a sample script that will disable ssh key authentication for multiple servers?;) (3 Replies)
Discussion started by: youdexter
3 Replies

10. UNIX for Dummies Questions & Answers

SSH key authentication

Hi all, I have got a Solaris machine and I have several user account setup up with the .ssh and authorized_keys file in their home directories. I have check all the permission and ownership and they are all indentical and belongs to the user ID and group respectively. However one of the... (3 Replies)
Discussion started by: stancwong
3 Replies
Login or Register to Ask a Question