SSH Problem

Corne Kotze cornek at striata.com
Thu Feb 5 04:14:03 PST 2009 

Hi all,

Just an update on the ssh with keys issue I had.
To refresh, I run a sftp server which chroot users to their assigned
folders.

http://www.bsdguides.org/guides/freebsd/security/sftp_chroot_users.php

That disabled the keys authentication I had running on my server.



The solution that worked for me:

Verify the connecting server SSH version
[local-host]$ssh -V

OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007


Generate key-pair on the connecting server without a password

[local-host]$ ssh-keygen –t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_dsa): <Hit
Enter>

Created directory '/home/user/.ssh'.

Enter passphrase (empty for no passphrase): <Hit Enter>

Enter same passphrase again: <Hit Enter>

Your identification has been saved in /home/user/.ssh/id_dsa.

Your public key has been saved in /home/user/.ssh/id_dsa.pub.

The key fingerprint is:

3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad user at localhost


The public key and private key are typically stored in .ssh folder under
your home directory. In this example, it is under /home/user/.sshd. You
should not share the private key with anybody.



Convert openSSH public key to SSH2 public key

On the connecting server that is running openSSH, convert the openSSH
public key to SSH2 public key using ssh-keygen as shown below.

[local-host]$ ssh-keygen -e -f ~/.ssh/id_dsa.pub >
~/.ssh/id_dsa_ssh2.pub



Install the public-key on the remote-host that is running SSH2

Create a new public key file on remote-host and copy paste the converted
SSH2 key from the connecting server.



[remote-host]$ mkdir .ssh2

[remote-host]$ vi ~/.ssh2/server.lan_ssh2_key.pub 
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “2048-bit RSA, converted from OpenSSH by jsmith at local-host”
DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI
3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU
YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ
LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP
LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8
a7cQuMS178i9eDBEC==
—- END SSH2 PUBLIC KEY —-

[remote-host]$ chmod 700 ~/.ssh2

[remote-host]$ chmod go-rwx ~/.ssh2/*



Add the above public key file name to the authorization file on the
remote-host as shown below.


[remote-host]$ vi ~/.ssh2/authorization 
Key server.lan_ssh2_key.pub



Verify the Login from the connecting server to remote-host using the
SSH2 key authentication.


[local-host]$ ssh -l user remote-host <You are on connecting server
here>

The authenticity of host ‘local-host’ can’t be established.

DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘local-host’ (DSA) to the list of known
hosts.

Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102

No mail.

[remote-host]$ <You are on remote-host here>







Hope this will help someone.










On Mon, 2008-12-22 at 13:22 +0300, Eygene Ryabinkin wrote:

> Corne,
> 
> Mon, Dec 22, 2008 at 11:22:07AM +0200, Corne Kotze wrote:
> > Thank for the reply.
> > Sorry for the ignorance, but I should have added this as well.
> >
> > I am running apart from other things, a secure ftp server on this box as
> > well that chroot the users to their home directories.
> >
> > I got the setup information from the following link:
> > http://www.bsdguides.org/guides/freebsd/security/sftp_chroot_users.php
> 
> Ahm, SSH.com's realization of SSH suite.  Forgot about this, sorry.
> I had never used it, so can't say how to make it work with public key
> authentication.  But read on ;))
> 
> However, OpenSSH had gained the chroot ability in February 2008,
>   http://undeadly.org/cgi?action=article&sid=20080220110039
> 
> But if you're running 6.x, you won't be able to use it -- it was
> imported only to 7.x and -CURRENT,
>   SVN rev 182634 on 2008-09-01 20:03:13Z by des
> 
> Though, no hope is lost -- security/openssh-portable is at 5.0p1, and
> chroot support is there.  But it is prone to the X11 MITM attack (at
> least on HP/UX, don't currently know is FreeBSD is affected),
>   http://www.openssh.com/txt/release-5.1
> Your mileage may vary, if, for example, you're not using X11 forwarding,
> then you might be fine with this.
> 
> > Setting the "rc.conf" file to:
> > sshd_enable="YES"
> > sshd2_enable="NO"
> >
> > Then my sftp setup does not work properly, unless I am missing something
> > that I can set in the "/etc/ssh/sshd_config" file.
> 
> Ooookey, if you still prefer SSH.com's software, you may find the following
> article very enlightening,
>   http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Public-Key_Authentication-2.html
> 
> At least for me it looks very sane and verbose.






Corne Kotze
Systems Administrator

Striata messaging innovation

E: corne.kotze at za.striata.com
T: +27 11 530 9600     
F: +27 11 447 9122

This email and all contents are subject to the following disclaimer:

http://www.striata.com/_disclaimer/

More information about the freebsd-hackers mailing list