Date: Thu, 05 Feb 2009 13:58:55 +0200 From: Corne Kotze <cornek@striata.com> To: rea-fbsd@codelabs.ru Cc: freebsd-hackers@freebsd.org Subject: Re: SSH Problem Message-ID: <1233835135.10262.31.camel@jackal> In-Reply-To: <cltDob8TEMUTzywLFmwwThH6z5o@TVy1gMAmSsiP9GTg//ziIjLy%2Bsk> References: <1229934159.8928.20.camel@jackal> <dnoAcoCUUpmRgsgANBLPZChMEB8@TVy1gMAmSsiP9GTg//ziIjLy%2Bsk> <1229937727.8928.24.camel@jackal> <cltDob8TEMUTzywLFmwwThH6z5o@TVy1gMAmSsiP9GTg//ziIjLy%2Bsk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, Just an update on the ssh with keys issue I had. To refresh, I run a sftp server which chroot users to their assigned folders. http://www.bsdguides.org/guides/freebsd/security/sftp_chroot_users.php That disabled the keys authentication I had running on my server. The solution that worked for me: Verify the connecting server SSH version [local-host]$ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007 Generate key-pair on the connecting server without a password [local-host]$ ssh-keygen =E2=80=93t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): <Hit Enter> Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): <Hit Enter> Enter same passphrase again: <Hit Enter> Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: 3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad user@localhost The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/user/.sshd. You should not share the private key with anybody. Convert openSSH public key to SSH2 public key On the connecting server that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below. [local-host]$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub Install the public-key on the remote-host that is running SSH2 Create a new public key file on remote-host and copy paste the converted SSH2 key from the connecting server. [remote-host]$ mkdir .ssh2 [remote-host]$ vi ~/.ssh2/server.lan_ssh2_key.pub=20 =E2=80=94- BEGIN SSH2 PUBLIC KEY =E2=80=94- Comment: =E2=80=9C2048-bit RSA, converted from OpenSSH by jsmith@local-host= =E2=80=9D DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI 3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8 a7cQuMS178i9eDBEC=3D=3D =E2=80=94- END SSH2 PUBLIC KEY =E2=80=94- [remote-host]$ chmod 700 ~/.ssh2 [remote-host]$ chmod go-rwx ~/.ssh2/* Add the above public key file name to the authorization file on the remote-host as shown below. [remote-host]$ vi ~/.ssh2/authorization=20 Key server.lan_ssh2_key.pub Verify the Login from the connecting server to remote-host using the SSH2 key authentication. [local-host]$ ssh -l user remote-host <You are on connecting server here> The authenticity of host =E2=80=98local-host=E2=80=99 can=E2=80=99t be esta= blished. DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added =E2=80=98local-host=E2=80=99 (DSA) to the list o= f known hosts. Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102 No mail. [remote-host]$ <You are on remote-host here> Hope this will help someone. On Mon, 2008-12-22 at 13:22 +0300, Eygene Ryabinkin wrote: > Corne, >=20 > Mon, Dec 22, 2008 at 11:22:07AM +0200, Corne Kotze wrote: > > Thank for the reply. > > Sorry for the ignorance, but I should have added this as well. > > > > I am running apart from other things, a secure ftp server on this box a= s > > well that chroot the users to their home directories. > > > > I got the setup information from the following link: > > http://www.bsdguides.org/guides/freebsd/security/sftp_chroot_users.php >=20 > Ahm, SSH.com's realization of SSH suite. Forgot about this, sorry. > I had never used it, so can't say how to make it work with public key > authentication. But read on ;)) >=20 > However, OpenSSH had gained the chroot ability in February 2008, > http://undeadly.org/cgi?action=3Darticle&sid=3D20080220110039 >=20 > But if you're running 6.x, you won't be able to use it -- it was > imported only to 7.x and -CURRENT, > SVN rev 182634 on 2008-09-01 20:03:13Z by des >=20 > Though, no hope is lost -- security/openssh-portable is at 5.0p1, and > chroot support is there. But it is prone to the X11 MITM attack (at > least on HP/UX, don't currently know is FreeBSD is affected), > http://www.openssh.com/txt/release-5.1 > Your mileage may vary, if, for example, you're not using X11 forwarding, > then you might be fine with this. >=20 > > Setting the "rc.conf" file to: > > sshd_enable=3D"YES" > > sshd2_enable=3D"NO" > > > > Then my sftp setup does not work properly, unless I am missing somethin= g > > that I can set in the "/etc/ssh/sshd_config" file. >=20 > Ooookey, if you still prefer SSH.com's software, you may find the followi= ng > article very enlightening, > http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Publi= c-Key_Authentication-2.html >=20 > At least for me it looks very sane and verbose. Corne Kotze Systems Administrator Striata messaging innovation E: corne.kotze@za.striata.com T: +27 11 530 9600 =20 F: +27 11 447 9122 This email and all contents are subject to the following disclaimer: http://www.striata.com/_disclaimer/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1233835135.10262.31.camel>