LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   open-ssh vs. commercial ssh (tru64), public-key auth not possible? (https://www.linuxquestions.org/questions/linux-networking-3/open-ssh-vs-commercial-ssh-tru64-public-key-auth-not-possible-491090/)

cf050 10-10-2006 08:02 AM

open-ssh vs. commercial ssh (tru64), public-key auth not possible?
 
Hi everybody,
I'm in a heterogenous network with both compaq/hp alpha machines running tru64 5.1.b and linux stations running ubuntu 6.06.1. The latter have open-ssh installed, while the alphas run a commercial ssh implementation.

Public key auth. works among the linux stations and the alphas alone, whereas
cross-plattform ssh is only possible via password-auth.

One obvious difference regarding public key authentication is, that both
implementations save privat and public keys in different locations,
~/.ssh/ for open-ssh and ~/.ssh2/ for tru64-ssh.

I appended my id_dsa.pub from .ssh to .ssh2/authorization, which is the place, the tru64-ssh-server looks for public-key filenames, but this did not work.

I read there are some principal incompatibilities between open-ssh and the
commercial version. Perhaps this is one of them. Would the use of ssh1 change something?

Does anyone know if my problem is somehow solvable? And how?

Thank you.

b0uncer 10-10-2006 09:38 AM

Quote:

Would the use of ssh1 change something?
Definitely, it would lower your security. That's why ssh2 is used.

cf050 10-10-2006 10:22 AM

Thank you very much.
Quote:

Definitely, it would lower your security. That's why ssh2 is used.
That's exactly the answer I was hoping for...

Hobbez1 10-25-2006 02:04 AM

cf050

Commercial SSH (tru 64) needs the filename inside the authorization file, not the actual key (the way open-ssh does it) ....
Also, the public key format differs....

Create a commercial public key from your openssh pub key (ssh-keygen -e -f <openssh pubkey> > <my name for commercial pubkey>
Copy the new public key to ~/.ssh2/ directory, and do the following:
echo Key {YOUR KEY NAME } >> ~/.ssh2/authorization

Hope that helps!

cf050 11-23-2006 01:55 AM

Hobbez1:
Quote:

Hope that helps!
Noops. Still asking for password, both ways around (ssh to openssh and openssh to ssh)

I did (on my linux machine):

>cd ~/.ssh
>ssh-keygen -e -f id_rsa.pub > id_rsa-commercial.pub
>cp id_rsa-commerical.pub ~/.ssh2
>cd ~/.ssh2
>echo Key id_rsa-commercial.pub >> authorization
>ssh <unix-machine>
user@unix-machine's password: ...

did i miss anything?

Hobbez1 11-27-2006 06:43 AM

Sorry, that's me being bad at explaining again....

on your linux-box:
copy the id_rsa-commerical.pub to the commercial ssh box under ~/.ssh2/

then, on the commercial box:
echo Key id_rsa-commercial.pub >> ~/.ssh2/authorization

basically, what needs to happen, in normal english:

1. create public and private key pair on "non-commercial" (NC) box (this pair is meant non-commercial pair)
2. create commercial public key from NC public key
3. copy file to commercial SSH box, under ~/.ssh2 directory
4. tell commercial box to recognize key (by adding "Key <Commercial public key name>" to ~/.ssh2/authorization

and, hopefully, that's it...!

let me know

cf050 11-29-2006 01:30 AM

Hobbez1,

Since our nfs server exports the home directories to both our linux machines and our alpha stations, .ssh/ (for openssh) and .ssh2/ (for tru64) reside under the same directory, namely
/home/<user>/. Sorry, I should have explained that before.

It still does not work. I will backup my .ssh and .ssh2 and restart the whole thing over, e.g generate key pairs, copy them etc. I'll keep you informed. Thank you so far.

cf050 12-20-2006 07:04 AM

Settled!
The systemwide configuration file /etc/ssh2/sshd2_config had to be edited so as to allow
publickey-authentication.

So, this is exactly what I have done:

On my linux machine:
1.) No changes in the /etc/ssh/*_config files neccessary.

As user:
2.) remove old .ssh-stuff:

Code:

$ rm -rf .ssh
3.) generate new openssh public/privat key pair ( I took dsa-type and 2048 bit length here, other values might as well work):

Code:

$ ssh-keygen -t dsa -b 2048
take default paths
no passphrase (type <enter> twice).

cd to newly generated .ssh-directory

Code:

$ cd ~/.ssh
$ ls

should list at least the files

id_dsa
id_dsa.pub

4.) export newly generated pair of keys to ssh.com format:

Code:

$ ssh-keygen -e -f id_dsa > id_dsa_2048_b
$ ssh-keygen -e -f id_dsa.pub > id_dsa_2048_b.pub

5.) append public key to list of authorized keys:
Code:

$ cat id_dsa.pub > authorized_keys


On my TRU64 machine:

6.) Look up /etc/ssh/sshd2_config

Code:

> more /etc/ssh2/ssh2d.config
There has to be a line saying something like

Code:

AllowedAuthentications          hostbased,publickey,password
If this line is NOT commented out, everything should be Ok. If not, ask your system-administrator to change it. In my opinion publickey-auth is much saver than
hostbased, but that may be a matter of taste.

As user

7.) remove old .ssh2-stuff (ssh.com configuration files)

Code:

$ rm -rf ~/.ssh2
8.) generate new commercial ssh-key pair:

Code:

> ssh-keygen2 -t dsa -b 2048
again, take default paths and choose no passphrase (otherwise you will be asked each time you log in, which is not want I wanted...)

Code:

> cd ~/.ssh2
> ls

should list
Code:

id_dsa_2048_a.pub
 id_dsa_2048_a

9.) copy the two openssh-keys which you transformatted in step 4.) to pwd.

Code:

> cp ../.ssh/id_dsa_2048_b* .
10.) Add public keys to list of authorized keys and privat keys to list of
identification keys:

Code:

> echo Key id_dsa_2048_a.pub > authorization
> echo Key id_dsa_2048_b.pub >> authorization
> echo IdKey id_dsa_2048_a > identification
> echo IdKey id_dsa_2048_b >> identification


On linux-machine:
11.) Import commercial pair of keys in ~/.ssh:

Code:

$ cd .ssh
$ ssh-keygen -i -f ../.ssh2/id_dsa_2048_a > id_dsa_b
$ ssh-keygen -i -f ../.ssh2/id_dsa_2048_a.pub > id_dsa_b.pub

12.) Add new public key to list of authorized keys:

Code:

$ cat id_dsa_b.pub >> authorized_keys
That should do it. Maybe some steps are unnecessary, but this worked for me. Now I can finally run mpi on our cluster :)

BertM 03-28-2012 11:15 AM

Even though this is an ancient thread, I thought I'd post my experiences for people that end up here looking for answers.

Firstly:
All credit goes to Thomas Jansson, whose howto i've more or less copied.
You can find the original here: http://www.tjansson.dk/?p=127


To connect from OpenSSH to SSH2:

1. Create a keypair on your OpenSSH machine:
Code:

ssh-keygen -f ~/.ssh/openssh_key
2. Convert the public key to the SSH2 format and save in a file (do this on the OpenSSH machine):
Code:

cd ~/.ssh
ssh-keygen -e -f openssh_key.pub > openssh_key_converted.pub

3. Copy the converted public key to SSH2 machine. Put it in the ~/.ssh2 directory.

4. Add the name of the public key to the SSH2 authorization file:
Code:

echo "Key openssh_key_converted.pub" >> ~/.ssh2/authorization
5. Done. You can now log in on the SSH2 machine from your OpenSSH machine without typing the password.


To connect from SSH2 to OpenSSH:

1. Create a keypair on your SSH2 machine:
Code:

ssh-keygen -f ~/.ssh2/ssh2_key
2. Copy the public key to the OpenSSH machine. Only OpenSSH's ssh-keygen can convert from SSH2 format to OpenSSH format.

3. Convert the public key to the OpenSSH format and save in a file (do this on the OpenSSH machine as well, only OpenSSH's ssh-keygen can convert):
Code:

ssh-keygen -i -f ssh2_key.pub > ssh2_key_converted.pub
4. Add the converted public key to the authorized_keys file on your OpenSSH machine:
Code:

cat ssh2_key_converted.pub >> ~/.ssh/authorized_keys
5. Add the name of the private key to the SSH2 identification file (on the SSH2 machine):
Code:

echo "IdKey ssh2_key" >> ~/.ssh2/identification
6. Done. You can now log in to the OpenSSH machine from your SSH2 machine without typing the password.


All times are GMT -5. The time now is 07:01 AM.