LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-10-2006, 08:02 AM   #1
cf050
LQ Newbie
 
Registered: May 2004
Location: Rostock, Germany
Distribution: Ubuntu 6.06 on amd64
Posts: 25

Rep: Reputation: 15
open-ssh vs. commercial ssh (tru64), public-key auth not possible?


Hi everybody,
I'm in a heterogenous network with both compaq/hp alpha machines running tru64 5.1.b and linux stations running ubuntu 6.06.1. The latter have open-ssh installed, while the alphas run a commercial ssh implementation.

Public key auth. works among the linux stations and the alphas alone, whereas
cross-plattform ssh is only possible via password-auth.

One obvious difference regarding public key authentication is, that both
implementations save privat and public keys in different locations,
~/.ssh/ for open-ssh and ~/.ssh2/ for tru64-ssh.

I appended my id_dsa.pub from .ssh to .ssh2/authorization, which is the place, the tru64-ssh-server looks for public-key filenames, but this did not work.

I read there are some principal incompatibilities between open-ssh and the
commercial version. Perhaps this is one of them. Would the use of ssh1 change something?

Does anyone know if my problem is somehow solvable? And how?

Thank you.

Last edited by cf050; 10-10-2006 at 08:04 AM.
 
Old 10-10-2006, 09:38 AM   #2
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Quote:
Would the use of ssh1 change something?
Definitely, it would lower your security. That's why ssh2 is used.
 
Old 10-10-2006, 10:22 AM   #3
cf050
LQ Newbie
 
Registered: May 2004
Location: Rostock, Germany
Distribution: Ubuntu 6.06 on amd64
Posts: 25

Original Poster
Rep: Reputation: 15
Thank you very much.
Quote:
Definitely, it would lower your security. That's why ssh2 is used.
That's exactly the answer I was hoping for...
 
Old 10-25-2006, 02:04 AM   #4
Hobbez1
LQ Newbie
 
Registered: Oct 2006
Posts: 2

Rep: Reputation: 0
cf050

Commercial SSH (tru 64) needs the filename inside the authorization file, not the actual key (the way open-ssh does it) ....
Also, the public key format differs....

Create a commercial public key from your openssh pub key (ssh-keygen -e -f <openssh pubkey> > <my name for commercial pubkey>
Copy the new public key to ~/.ssh2/ directory, and do the following:
echo Key {YOUR KEY NAME } >> ~/.ssh2/authorization

Hope that helps!

Last edited by Hobbez1; 10-25-2006 at 05:20 AM.
 
Old 11-23-2006, 01:55 AM   #5
cf050
LQ Newbie
 
Registered: May 2004
Location: Rostock, Germany
Distribution: Ubuntu 6.06 on amd64
Posts: 25

Original Poster
Rep: Reputation: 15
Hobbez1:
Quote:
Hope that helps!
Noops. Still asking for password, both ways around (ssh to openssh and openssh to ssh)

I did (on my linux machine):

>cd ~/.ssh
>ssh-keygen -e -f id_rsa.pub > id_rsa-commercial.pub
>cp id_rsa-commerical.pub ~/.ssh2
>cd ~/.ssh2
>echo Key id_rsa-commercial.pub >> authorization
>ssh <unix-machine>
user@unix-machine's password: ...

did i miss anything?
 
Old 11-27-2006, 06:43 AM   #6
Hobbez1
LQ Newbie
 
Registered: Oct 2006
Posts: 2

Rep: Reputation: 0
Sorry, that's me being bad at explaining again....

on your linux-box:
copy the id_rsa-commerical.pub to the commercial ssh box under ~/.ssh2/

then, on the commercial box:
echo Key id_rsa-commercial.pub >> ~/.ssh2/authorization

basically, what needs to happen, in normal english:

1. create public and private key pair on "non-commercial" (NC) box (this pair is meant non-commercial pair)
2. create commercial public key from NC public key
3. copy file to commercial SSH box, under ~/.ssh2 directory
4. tell commercial box to recognize key (by adding "Key <Commercial public key name>" to ~/.ssh2/authorization

and, hopefully, that's it...!

let me know
 
Old 11-29-2006, 01:30 AM   #7
cf050
LQ Newbie
 
Registered: May 2004
Location: Rostock, Germany
Distribution: Ubuntu 6.06 on amd64
Posts: 25

Original Poster
Rep: Reputation: 15
Hobbez1,

Since our nfs server exports the home directories to both our linux machines and our alpha stations, .ssh/ (for openssh) and .ssh2/ (for tru64) reside under the same directory, namely
/home/<user>/. Sorry, I should have explained that before.

It still does not work. I will backup my .ssh and .ssh2 and restart the whole thing over, e.g generate key pairs, copy them etc. I'll keep you informed. Thank you so far.
 
Old 12-20-2006, 07:04 AM   #8
cf050
LQ Newbie
 
Registered: May 2004
Location: Rostock, Germany
Distribution: Ubuntu 6.06 on amd64
Posts: 25

Original Poster
Rep: Reputation: 15
Post

Settled!
The systemwide configuration file /etc/ssh2/sshd2_config had to be edited so as to allow
publickey-authentication.

So, this is exactly what I have done:

On my linux machine:
1.) No changes in the /etc/ssh/*_config files neccessary.

As user:
2.) remove old .ssh-stuff:

Code:
$ rm -rf .ssh
3.) generate new openssh public/privat key pair ( I took dsa-type and 2048 bit length here, other values might as well work):

Code:
$ ssh-keygen -t dsa -b 2048
take default paths
no passphrase (type <enter> twice).

cd to newly generated .ssh-directory

Code:
$ cd ~/.ssh
$ ls
should list at least the files

id_dsa
id_dsa.pub

4.) export newly generated pair of keys to ssh.com format:

Code:
$ ssh-keygen -e -f id_dsa > id_dsa_2048_b
$ ssh-keygen -e -f id_dsa.pub > id_dsa_2048_b.pub
5.) append public key to list of authorized keys:
Code:
$ cat id_dsa.pub > authorized_keys


On my TRU64 machine:

6.) Look up /etc/ssh/sshd2_config

Code:
> more /etc/ssh2/ssh2d.config
There has to be a line saying something like

Code:
AllowedAuthentications          hostbased,publickey,password
If this line is NOT commented out, everything should be Ok. If not, ask your system-administrator to change it. In my opinion publickey-auth is much saver than
hostbased, but that may be a matter of taste.

As user

7.) remove old .ssh2-stuff (ssh.com configuration files)

Code:
$ rm -rf ~/.ssh2
8.) generate new commercial ssh-key pair:

Code:
> ssh-keygen2 -t dsa -b 2048
again, take default paths and choose no passphrase (otherwise you will be asked each time you log in, which is not want I wanted...)

Code:
> cd ~/.ssh2
> ls
should list
Code:
id_dsa_2048_a.pub
 id_dsa_2048_a
9.) copy the two openssh-keys which you transformatted in step 4.) to pwd.

Code:
> cp ../.ssh/id_dsa_2048_b* .
10.) Add public keys to list of authorized keys and privat keys to list of
identification keys:

Code:
> echo Key id_dsa_2048_a.pub > authorization
> echo Key id_dsa_2048_b.pub >> authorization
> echo IdKey id_dsa_2048_a > identification
> echo IdKey id_dsa_2048_b >> identification

On linux-machine:
11.) Import commercial pair of keys in ~/.ssh:

Code:
$ cd .ssh
$ ssh-keygen -i -f ../.ssh2/id_dsa_2048_a > id_dsa_b
$ ssh-keygen -i -f ../.ssh2/id_dsa_2048_a.pub > id_dsa_b.pub
12.) Add new public key to list of authorized keys:

Code:
$ cat id_dsa_b.pub >> authorized_keys
That should do it. Maybe some steps are unnecessary, but this worked for me. Now I can finally run mpi on our cluster
 
Old 03-28-2012, 11:15 AM   #9
BertM
LQ Newbie
 
Registered: Jan 2010
Location: Belgium
Distribution: Debian
Posts: 17

Rep: Reputation: 0
Even though this is an ancient thread, I thought I'd post my experiences for people that end up here looking for answers.

Firstly:
All credit goes to Thomas Jansson, whose howto i've more or less copied.
You can find the original here: http://www.tjansson.dk/?p=127


To connect from OpenSSH to SSH2:

1. Create a keypair on your OpenSSH machine:
Code:
ssh-keygen -f ~/.ssh/openssh_key
2. Convert the public key to the SSH2 format and save in a file (do this on the OpenSSH machine):
Code:
cd ~/.ssh
ssh-keygen -e -f openssh_key.pub > openssh_key_converted.pub
3. Copy the converted public key to SSH2 machine. Put it in the ~/.ssh2 directory.

4. Add the name of the public key to the SSH2 authorization file:
Code:
echo "Key openssh_key_converted.pub" >> ~/.ssh2/authorization
5. Done. You can now log in on the SSH2 machine from your OpenSSH machine without typing the password.


To connect from SSH2 to OpenSSH:

1. Create a keypair on your SSH2 machine:
Code:
ssh-keygen -f ~/.ssh2/ssh2_key
2. Copy the public key to the OpenSSH machine. Only OpenSSH's ssh-keygen can convert from SSH2 format to OpenSSH format.

3. Convert the public key to the OpenSSH format and save in a file (do this on the OpenSSH machine as well, only OpenSSH's ssh-keygen can convert):
Code:
ssh-keygen -i -f ssh2_key.pub > ssh2_key_converted.pub
4. Add the converted public key to the authorized_keys file on your OpenSSH machine:
Code:
cat ssh2_key_converted.pub >> ~/.ssh/authorized_keys
5. Add the name of the private key to the SSH2 identification file (on the SSH2 machine):
Code:
echo "IdKey ssh2_key" >> ~/.ssh2/identification
6. Done. You can now log in to the OpenSSH machine from your SSH2 machine without typing the password.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 11:06 AM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 12:34 PM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 06:27 AM
ssh public key problem Lotharster Linux - Networking 3 12-28-2005 08:18 PM
ssh using public key jkmartha Linux - Networking 1 05-04-2005 02:52 AM


All times are GMT -5. The time now is 12:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration