Hello Brian
I have purchased absolute version 8.14, and I am trying to use the ssh2 connection to my corporate Unix servers which are Sun and Linux Servers and have no success.
And I actually purchased it for this express purpose.
Here is the ssh version on the Sun Servers.
ssh -v
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
And Here is the ssh version from the Linux Servers.
ssh -v
OpenSSH_4.1p1, OpenSSL 0.9.7d 17 Mar 2004
And From the STandpoint of ssh'ing and scp'ing passwordless via priv/pub keys i have been doing it successfully bouncing from Server to Server.
The standard steps I do in Unix are
I only Ran Step 1 Once to generate the keys and then transfered the public key to the other servers.
1) on the Source server I ssh-keygen -t rsa
This created for me on the Sun server a id_rsa and a id_rsa.pub file
Step 2 and beyond I do for each machine I want to get to.
2) I sftp'ed the id_rsa.pub file to the remote Sun host and ran the commands
mkdir -p $HOME/.ssh
touch $HOME/.ssh/authorized_keys
touch $HOME/.ssh/authorized_keys2
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/authorized_keys2
cat $HOME/id_rsa.pub >> $HOME/.ssh/authorized_keys
cat $HOME/id_rsa.pub >> $HOME/.ssh/authorized_keys2
3) Then I can Easily go from Sun Server to Remote Sun Server via ssh and use SFTP and SCP without password.
Using Absoulte Telnet 8.14 from my Winxp PC I thought It would be the Same thing At least it appears that way.
But And it is not working
Here are the steps I have done.
1) You need to know that on the Unix Sun Server I am trying to get to my userid is called RAASGAS, and on my WinXp machine it is avitale under a domain of DOG on a windows pc called WXPDMIAAVITALE
These are from my Environment variables on the winxp session via cmd box and the command set which shows all current variables.
COMPUTERNAME=WXPDMIAAVITALE
USERDNSDOMAIN=DOG.ABCD.COM
USERDOMAIN=DOG
USERNAME=avitale
2) I set up in absoulte telnet under the ssh2 tab the hostname I am going to called Server1 and clicked off the Auto Login of Prompt and Authentication of Use RSA/DSA key
3) When I clicked ok I had to click the new dialoge box to supply the username (raasgas) At least I believe it is asking for the username of the target server and I clicked the RSA/DSA key and had it generate me a RSA key pair with no passphrase and a base filename of id_rsa
This created for me 3 files
id_rsa.priv
id_rsa.pubopen
id_rsa.pubssh2
The thing I thought unusual was that there is no username@machine name found after the = sign in the id_rsa.pubopen nor id_rsa.pubssh2 Files, At least in the examples I have seen in the net as well as the private/pub keys on the unix plateform there is a username@server after the equals sign.
Here are the Keys it generated for me (I changed the code values within the keys)
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
88DnptVqdrujdxHMXPHzDOoWxezp8qzpS6rWHdTi
-----END RSA PRIVATE KEY-----
And This is the id_rsa.pubopen
ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+LQX8JMJ9EVg13k0NuWnmLPQ8zXa2KOJz3pxuyuYIdxQidRi73qInW5088=
And This is the id_rsa.pubssh2
---- BEGIN SSH2 PUBLIC KEY ----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X8JMJ9EVg13k0NuWnmLPQ8zXa2KOJz3pxuyuYIdxQidRi73qInW5088=
---- END SSH2 PUBLIC KEY ----
I then took the id_rsa.pubopen and copied it to the target server1 and ran
cat $HOME/id_rsa.pubopen >> $HOME/.ssh/authorized_keys
cat $HOME/id_rsa.pubopen >> $HOME/.ssh/authorized_keys2
And When I run the Absoulute telnet I get Authentication Failed-Try again and when I look at the log I get
cat C:\Program Files\AbsoluteTelnet\logs\Auth.log
2528 - Attempting 'none' authentication.
2528 - User authentication banner received from the server.
2528 - Remaining authentication methods: 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
2528 - Attempting 'publickey' authentication.
2528 - Authentication failed. Remaining authentication methods: 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
So I think there is an issue in Absoulte Telnet getting my winxp username or passing the username RAASGAS
Is there any more Verbose logging to the C:\Program Files\AbsoluteTelnet\logs\Auth.log file that can be done
Something like ssh -v
Thanks
Anthony Vitale
Thanks, Anthony for contacting me.
It seems you have everything set up correctly, so I'm not sure exactly what the issue is, but let me start by clarifying a little bit on a few things and ask a few questions....
1. Absolute does not use environment variables on the XP system, so this is not the issue.
2. The username@machine in the generated key is only a comment and helps you keep track of why generated the keys and where they were generated. It has no meaning other than that.
3. You only have to generate ONE keypair. If you generated this keypair on the unix server, you should transfer the private key over to XP. I, frankly, would not leave my private keys on the unix box. This is a potential point of compromise. The added security of public-key authentication RELIES on keeping the private key private! With the private key safely on the client box, it is easy to SSH from XP to 'Server A'. With authentication forwarding, you can also ssh from 'Server A' to 'Server B' without having to store your private key on 'Server A' for this purpose. However, let's make the first hop and we'll leave authentication forwarding for a subsequent post.
4. Logins *are* case sensitive. At least in your post, you specify it in one place as RAASGAS and another raasgas. Make sure you enter the right one.
5. The key dialog here is the one that you see at connect time (below). Make sure that you have the correct username and the correct path to the private key file. Make sure that the corresponding public key is in the authorized_keys2 file on the target. Try using the private key file generated by ssh-keygen in XP. Don't leave your private keys on the server.
Can you run sshd with logging on the server to get more information?
Brian
I thought about this some more and may have missed the most obvious problem. When you generate the public/private keypair, Absolute generates TWO version of the public key. The .pubopen key is formatted for an OpenSSH server. The .pubssh2 key is in RFC4716 SSH2 public key format. You will use one or the other depending on your server. One of your servers is OpenSSH and the other is not. Be sure to use the appropriate key format the server is expecting.
Thank You For the Quick Response
You Are Correct, however it appears that my Sun Box's are OpenSSH as well.
I found the problem
I needed to run
chmod 755 $HOME
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/authorized_keys2
Once all that was done I was able to use it as normal
Thanks
Sorry, I thought you had done that already.
Now that you have the environment right, we could talk a little bit about "agent forwarding". This allows you to keep your private key on your client system where it is most secure but still allows you to make multiple hops between servers. Getting an SSH connection from Windows to 'server A' is easy, but without agent forwarding, you'd have to have a copy of your private key on 'Server A' for authentication to 'Server B'. If you used public-key authentication to 'Server A', the solution is simple. In Absolute, use public-key authentication to connect to 'Server A', then use the command 'ssh -A serverb' to initiate the ssh connection from "server A" to "server b". The '-A' option enables agent forwarding. You'll be prompted with the following dialog:
This prompts you to either allow or deny the authentication to "Server B". This is a security measure to prevent a possible rogue process on the unix server from using your key without your knowledge. You can choose to not display this dialog, but I don't recommend it. Click 'Yes' to approve and you're connected to "Server B" without having to supply additional authentication or passwords. You can make as many hops as you wish to 'Server C', 'Server D' and so on. All you have to do is place your PUBLIC key in the authorized_keys file of each of these servers. The private key should remain local.
scp can use the agent forwarding as well, but does not require the '-A' option because only single hops are allowed.
Brian