Login or Register to Ask a Question and Join Our Community


AIX

Ssh-keygen (Saving the key failed:)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Ssh-keygen (Saving the key failed:)
# 8  
Old 11-01-2015
Seems unusual that a save file problem would have anything to do with a library. If the value could not be calculated - perhaps.

And to follow the line of agent.kgb - how about the output of

lslpp -L | grep openss
 to get both openssh and openssl.

and do not forget the ifix listing: emgr -l
# 9  
Old 11-03-2015
Hi,

Im sorry but had to revert back to 7.1.2 and are unable to provide any information you guys might need.

the package causing the problem it seems was openssl.base 1.0.1.513 on aix 7.1.3.

curently running openssl.base 0.9.8.2500 on aix 7.1.2

openssh openssh.base.server6.0.0.6102 version did not change with upgrade so it cant be that.

As soon as encryption is applied to the keyfile it fails, hence why when no passphrase is added it works. Also, not any of our previously defined key were working.

When doing fresh vanilla installation everything works fine, but as soon as you upgrade the current running version and openssl.base 1.0.1.513 is being put back in the wheels comes off.

take openssl.base 1.0.1.513 out only and put back openssl.base 0.9.8.2500 and everything works fine again.

Thank you anyway.
# 10  
Old 11-03-2015
I wish I had good news for you, but unfortunately you have to upgrade your OpenSSL and OpenSSH to the latest versions. This is the list of security vulnerabilities in your OpenSSL version:


Quote:
1. CVE-2014-3566 - SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a padding-oracle
attack.

2. CVE-2014-3567 - OpenSSL could allow remote attackers to cause a denial of service (memory consumption)
via crafted session ticket that triggers an integrity-check failure.

3. CVE-2014-3505 - OpenSSL could allow remote attackers to cause a denial of service
(application crash) via crafted DTLS packets that trigger an error condition.

4. CVE-2014-3506 - OpenSSL could allow remote attackers to cause a denial of service
(memory consumption) via crafted DTLS handshake messages that trigger memory
allocations corresponding to large length values.

5. CVE-2014-3507 - OpenSSL could allow remote attackers to cause a denial of service
(memory consumption) via zero-length DTLS fragments that trigger improper
handling of the return value of insert function.

6. CVE-2014-3508 - OpenSSL could allow context-dependent attackers to obtain sensitive information
from process stack memory by reading output from some functions when pretty
printing is used

7. CVE-2014-3510 - OpenSSL could allow remote DTLS servers to cause a denial of service
(NULL pointer dereference and client application crash) via a crafted
handshake message in conjunction with a (1) anonymous DH or
(2) anonymous ECDH ciphersuite.

8. CVE-2014-0195 - A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.

9. CVE-2014-0221 - By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

10. CVE-2014-0224 - An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a
Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic
from the attacked client and server.

11. CVE-2014-3470 - OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

12.CVE-2014-0076 - The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure
that certain swap operations have a constant-time behavior, which makes it easier
for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
---------- Post updated at 10:51 PM ---------- Previous update was at 10:49 PM ----------

oops, sorry, I think I forgot several more:

Quote:
1. CVE-2015-0293 - Remote attackers can cause a Denial of Service (assertion failure and
daemon exit) via crafted CLIENT-MASTER-KEY message.

2. CVE-2015-0292 - Remote attackers can cause a Denial of Service (memory corruption) via
crafted base64 data that triggers a buffer overflow.

3. CVE-2015-0289 - Remote attackers can cause a Denial of Service (NULL pointer dereference
and application crash) by leveraging an application that processes arbitrary
PKCS#7 data and providing malformed data with ASN.1 encoding

4. CVE-2015-0288 - Remote attackers can cause a Denial of Service (NULL pointer dereference
and application crash) via an invalid certificate key

5. CVE-2015-0287 - Remote attackers can cause a Denial of Service (invalid write operation
and memory corruption) by leveraging an application that relies on ASN.1
structure reuse

6. CVE-2015-0286 - Remote attackers can cause a Denial of Service (invalid read operation and
application crash) via a crafted X.509 certificate to an endpoint that uses
the certificate-verification feature

7. CVE-2015-0209 - Remote attackers can cause a Denial of Service (memory corruption and application
crash) via a malformed Elliptic Curve (EC) private-key file that is improperly
handled during import

8. CVE-2015-0204 - OpenSSL allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks
and facilitate brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role.

9. CVE-2014-8275 - OpenSSL does not enforce certain constraints on certificate data, which allows remote
attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by
including crafted data within a certificate's unsigned portion

10. CVE-2014-3571 - OpenSSL allows remote attackers to cause a denial of service via a crafted DTLS message
that is processed with a different read operation for the handshake header than for the
handshake body

11. CVE-2014-3570 - OpenSSL does not properly calculate the square of a BIGNUM value, which might make it
easier for remote attackers to defeat cryptographic protection mechanisms via unspecified
vectors
---------- Post updated at 10:57 PM ---------- Previous update was at 10:51 PM ----------

your version of OpenSSH is pretty old and has some known security problems too. It is compiled with OpenSSL 0.9.8.x and if you want to use it, you can update OpenSSL to 0.9.8.2505 (I would recommend to do it ASAP), but not to 1.0.1.514.

Quote:
This is OpenSSH-6.0p1 (6.0.0.6102) for AIX 5.3, AIX 6.1 and AIX 7.1.
This version of OpenSSH is compiled with OpenSSL 0.9.8x.
# 11  
Old 11-03-2015
If I recall correctly, the *.2500 openssl packaging was FIPS certified- so these were not even standard 0.9.8 openssl copies.

As stated before, you need to update both openssl and openssh. I suspect the reason your ssh was not working is because the library yours is using is not the same as the openssl.0.9.8 that is included on openssl-1.0.1.5XX, i.e., it is not FIPS certified.

I will see if I can locate an openssh similiar to what you have - but I fear that will be near impossible now. I do have a version of openssh based on openssh-6.9p1, or even openssh-7.1p1 if you are interested.

There are noteable differences in the defaults with each new version starting with openssh-6.7p1 - FYI.
# 12  
Old 11-03-2015
Quote:
Originally Posted by MichaelFelt
If I recall correctly, the *.2500 openssl packaging was FIPS certified- so these were not even standard 0.9.8 openssl copies.
nope. there is a special FIPS-certified version based on 0.9.8 and it has numbers like 12.9.8.x
# 13  
Old 11-04-2015
Ouch, that really doesn't sound great.
Although remember that IBM recommends only installing packages that is part of the official service packs. The openssh and openssl packages I mentioned are the ones available in the latest AIX release (aix 7.1.3sp5).
# 14  
Old 11-04-2015
Both openssh and openssl are still not part of the official AIX distribution. The newest version can be downloaded from IBM Web Download pack:

IBM AIX Expansion Pack and Web Download Pack
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Ssh-keygen problems

For some reason, when I try copying my public key to the server, despite it showing as being successful: rob@linux044:~$ ssh-copy-id -i /home/rob/Work/Keys/keys.txt.pub !@#$%.com /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/rob/Work/Keys/keys.txt.pub"... (7 Replies)
Discussion started by: Circuits
7 Replies

2. Shell Programming and Scripting

automatic SFTP without doing passwordless key with ssh-keygen

I need to automate a file transfer thru SFTP. But I cannot do a passwordless key with ssh-keygen between the servers. Is there any other way like we do something like below in FTP??? ftp -n hostIP << EOF user userid password get filename EOF Please use code tags! (5 Replies)
Discussion started by: Vidhyaprakash
5 Replies

3. Shell Programming and Scripting

sftp ssh-keygen

sftp username@host <<EOF lcd /home/dirA cd /home/dirB mput *.txt exit EOF Hi, i have done the keygen-ssh settings but rite now I log through putty I enter my credentials and then when i successfully log in, then I issue the command ssh server name then I again enter into the server but... (1 Reply)
Discussion started by: rahulsxn660
1 Replies

4. UNIX for Dummies Questions & Answers

ssh-keygen error

Hi, I using ssh-keygen for passwordless authenciation firstly and I am following these steps mentioned below... 1) Login to pngpcdb1 using your user/pass 2) type 'bash' (without quotes) 3) ssh-keygen #generates private and public key. 4) copy this private key to the location of your sftp... (1 Reply)
Discussion started by: karan2597
1 Replies

5. UNIX for Dummies Questions & Answers

keygen-ssh

Hi, I was going thruough the password less authentication of keygen-ssh that will help us in generating keys...One thing that is not clear to me that if in nearby future we conncet to remote ftp server in that case now we need to only provide the user id itself that is password would not be... (1 Reply)
Discussion started by: rahul125
1 Replies

6. UNIX for Dummies Questions & Answers

ssh-keygen

Hi, I am new to unix, recently i was exploring password less remote connection to the ftp server and in that I was exploring the ssh-keygen utility, that it generates private & public keys that helps in transmitting files in encrypted format.Could you please explain me in detail about the... (1 Reply)
Discussion started by: rahul125
1 Replies

7. UNIX for Dummies Questions & Answers

how to create a public/private key using ssh-keygen

Hi, please guide me create a public/private key using ssh-keygen, lets say I have been access to server named pngpcdb1with a userid and password ...!!! and also please explain in detail the concept of these keys and ssh as I was planning to use them in ftp related scripts..! Thanks in... (1 Reply)
Discussion started by: rahul125
1 Replies

8. Shell Programming and Scripting

Query regarding ssh keygen

Hi, I have two Unix servers A and B. I have a script in server A. I want to connect to server B from A using ssh only and without giving passwords everytime i connect. I went through other posts regarding this and I generated a public key in server A and copied that in server B. Now when I... (3 Replies)
Discussion started by: mick_000
3 Replies

9. AIX

Ssh installation error "RSA key generation failed"

While trying to upgrade ssh from v4.7 to v5.0 on AIX 5.3 TL9, I end up with the following error. Has anyone come across this? Note: openssl has been upgraded to 0.9.8.840 before this upgrade Bala (0 Replies)
Discussion started by: balaji_prk
0 Replies

10. Shell Programming and Scripting

SSH-Keygen script

Hello friends, I wanna to make new script which work as i defined below (1) it connect (using ssh) to remote server (2) remote server having passphrase key with password (3) Generate new passphrase on local machine with random 8 character password. (4) It will atomatically uploaded to... (4 Replies)
Discussion started by: jagnikam
4 Replies
Login or Register to Ask a Question