Forum

WinXP not being abl...
 
Notifications
Clear all

WinXP not being able to connect via priv/pub key

0 Posts
2 Users
0 Reactions
344 Views
(@anthonythevitalesnet)
New Member
Joined: 15 years ago
Posts: 2
Topic starter  

Hello Brian

I have purchased absolute version 8.14, and I am trying to use the ssh2 connection to my corporate Unix servers which are Sun and Linux Servers and have no success.

And I actually purchased it for this express purpose.

Here is the ssh version on the Sun Servers.

ssh -v
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f

And Here is the ssh version from the Linux Servers.

ssh -v
OpenSSH_4.1p1, OpenSSL 0.9.7d 17 Mar 2004

And From the STandpoint of ssh'ing and scp'ing passwordless via priv/pub keys i have been doing it successfully bouncing from Server to Server.

The standard steps I do in Unix are

I only Ran Step 1 Once to generate the keys and then transfered the public key to the other servers.

1) on the Source server I ssh-keygen -t rsa
This created for me on the Sun server a id_rsa and a id_rsa.pub file

Step 2 and beyond I do for each machine I want to get to.
2) I sftp'ed the id_rsa.pub file to the remote Sun host and ran the commands

mkdir -p $HOME/.ssh
touch $HOME/.ssh/authorized_keys
touch $HOME/.ssh/authorized_keys2
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/authorized_keys2

cat $HOME/id_rsa.pub >> $HOME/.ssh/authorized_keys
cat $HOME/id_rsa.pub >> $HOME/.ssh/authorized_keys2

3) Then I can Easily go from Sun Server to Remote Sun Server via ssh and use SFTP and SCP without password.

Using Absoulte Telnet 8.14 from my Winxp PC I thought It would be the Same thing At least it appears that way.

But And it is not working

Here are the steps I have done.

1) You need to know that on the Unix Sun Server I am trying to get to my userid is called RAASGAS, and on my WinXp machine it is avitale under a domain of DOG on a windows pc called WXPDMIAAVITALE

These are from my Environment variables on the winxp session via cmd box and the command set which shows all current variables.
COMPUTERNAME=WXPDMIAAVITALE
USERDNSDOMAIN=DOG.ABCD.COM
USERDOMAIN=DOG
USERNAME=avitale

2) I set up in absoulte telnet under the ssh2 tab the hostname I am going to called Server1 and clicked off the Auto Login of Prompt and Authentication of Use RSA/DSA key

3) When I clicked ok I had to click the new dialoge box to supply the username (raasgas) At least I believe it is asking for the username of the target server and I clicked the RSA/DSA key and had it generate me a RSA key pair with no passphrase and a base filename of id_rsa

This created for me 3 files
id_rsa.priv
id_rsa.pubopen
id_rsa.pubssh2

The thing I thought unusual was that there is no username@machine name found after the = sign in the id_rsa.pubopen nor id_rsa.pubssh2 Files, At least in the examples I have seen in the net as well as the private/pub keys on the unix plateform there is a username@server after the equals sign.

Here are the Keys it generated for me (I changed the code values within the keys)

-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
88DnptVqdrujdxHMXPHzDOoWxezp8qzpS6rWHdTi
-----END RSA PRIVATE KEY-----

And This is the id_rsa.pubopen
ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+LQX8JMJ9EVg13k0NuWnmLPQ8zXa2KOJz3pxuyuYIdxQidRi73qInW5088=

And This is the id_rsa.pubssh2
---- BEGIN SSH2 PUBLIC KEY ----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X8JMJ9EVg13k0NuWnmLPQ8zXa2KOJz3pxuyuYIdxQidRi73qInW5088=
---- END SSH2 PUBLIC KEY ----

I then took the id_rsa.pubopen and copied it to the target server1 and ran

cat $HOME/id_rsa.pubopen >> $HOME/.ssh/authorized_keys
cat $HOME/id_rsa.pubopen >> $HOME/.ssh/authorized_keys2

And When I run the Absoulute telnet I get Authentication Failed-Try again and when I look at the log I get

cat C:\Program Files\AbsoluteTelnet\logs\Auth.log

2528 - Attempting 'none' authentication.
2528 - User authentication banner received from the server.
2528 - Remaining authentication methods: 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
2528 - Attempting 'publickey' authentication.
2528 - Authentication failed. Remaining authentication methods: 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.

So I think there is an issue in Absoulte Telnet getting my winxp username or passing the username RAASGAS

Is there any more Verbose logging to the C:\Program Files\AbsoluteTelnet\logs\Auth.log file that can be done

Something like ssh -v

Thanks
Anthony Vitale


   
ReplyQuote
(@bpence)
Member Admin
Joined: 12 months ago
Posts: 1375
 

Thanks, Anthony for contacting me.

It seems you have everything set up correctly, so I'm not sure exactly what the issue is, but let me start by clarifying a little bit on a few things and ask a few questions....

1. Absolute does not use environment variables on the XP system, so this is not the issue.

2. The username@machine in the generated key is only a comment and helps you keep track of why generated the keys and where they were generated. It has no meaning other than that.

3. You only have to generate ONE keypair. If you generated this keypair on the unix server, you should transfer the private key over to XP. I, frankly, would not leave my private keys on the unix box. This is a potential point of compromise. The added security of public-key authentication RELIES on keeping the private key private! With the private key safely on the client box, it is easy to SSH from XP to 'Server A'. With authentication forwarding, you can also ssh from 'Server A' to 'Server B' without having to store your private key on 'Server A' for this purpose. However, let's make the first hop and we'll leave authentication forwarding for a subsequent post.

4. Logins *are* case sensitive. At least in your post, you specify it in one place as RAASGAS and another raasgas. Make sure you enter the right one.

5. The key dialog here is the one that you see at connect time (below). Make sure that you have the correct username and the correct path to the private key file. Make sure that the corresponding public key is in the authorized_keys2 file on the target. Try using the private key file generated by ssh-keygen in XP. Don't leave your private keys on the server.

Can you run sshd with logging on the server to get more information?

Brian


   
ReplyQuote
(@bpence)
Member Admin
Joined: 12 months ago
Posts: 1375
 

I thought about this some more and may have missed the most obvious problem. When you generate the public/private keypair, Absolute generates TWO version of the public key. The .pubopen key is formatted for an OpenSSH server. The .pubssh2 key is in RFC4716 SSH2 public key format. You will use one or the other depending on your server. One of your servers is OpenSSH and the other is not. Be sure to use the appropriate key format the server is expecting.


   
ReplyQuote
(@anthonythevitalesnet)
New Member
Joined: 15 years ago
Posts: 2
Topic starter  

Thank You For the Quick Response

You Are Correct, however it appears that my Sun Box's are OpenSSH as well.

I found the problem

I needed to run

chmod 755 $HOME
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/authorized_keys2

Once all that was done I was able to use it as normal

Thanks


   
ReplyQuote
(@bpence)
Member Admin
Joined: 12 months ago
Posts: 1375
 

Sorry, I thought you had done that already.

Now that you have the environment right, we could talk a little bit about "agent forwarding". This allows you to keep your private key on your client system where it is most secure but still allows you to make multiple hops between servers. Getting an SSH connection from Windows to 'server A' is easy, but without agent forwarding, you'd have to have a copy of your private key on 'Server A' for authentication to 'Server B'. If you used public-key authentication to 'Server A', the solution is simple. In Absolute, use public-key authentication to connect to 'Server A', then use the command 'ssh -A serverb' to initiate the ssh connection from "server A" to "server b". The '-A' option enables agent forwarding. You'll be prompted with the following dialog:

This prompts you to either allow or deny the authentication to "Server B". This is a security measure to prevent a possible rogue process on the unix server from using your key without your knowledge. You can choose to not display this dialog, but I don't recommend it. Click 'Yes' to approve and you're connected to "Server B" without having to supply additional authentication or passwords. You can make as many hops as you wish to 'Server C', 'Server D' and so on. All you have to do is place your PUBLIC key in the authorized_keys file of each of these servers. The private key should remain local.

scp can use the agent forwarding as well, but does not require the '-A' option because only single hops are allowed.

Brian


   
ReplyQuote
Share: