SecurityFocus

RE: keys not recognized in Unixware --> RedHat Connection Sep 25 2008 10:23PM
COHEN, STEVEN M (ATTSI) (sc1478 att com)

They were not set this way.

They were
$ ls -al
total 24
drwxr-xr-x 2 myuserid users 4096 Sep 25 17:31 .
drwx------ 11 myuserid users 4096 Sep 25 15:33 ..
-rw-r----- 1 myuserid users 2305 Sep 25 17:41 authorized_keys
-rw-r----- 1 myuserid users 1703 May 22 17:27 authorized_keys.bak
-rw-r----- 1 myuserid users 602 Sep 25 16:05 id_dsa2.pub
-rw-r--r-- 1 myuserid users 228 Jun 17 10:09 known_hosts

I changed them:

$ ls -al
total 24
drwx------ 2 myuserid users 4096 Sep 25 17:31 .
drwx------ 11 myuserid users 4096 Sep 25 15:33 ..
-rw------- 1 myuserid users 2305 Sep 25 17:41 authorized_keys
-rw------- 1 myuserid users 1703 May 22 17:27 authorized_keys.bak
-rw-r----- 1 myuserid users 602 Sep 25 16:05 id_dsa2.pub
-rw-r--r-- 1 myuserid users 228 Jun 17 10:09 known_hosts

I made the same changes on both machines.

but it didn't help.

$ ssh -i id_dsa2 -vvv ip2
OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ip2 [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file id_dsa2.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file id_dsa2 type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfourr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfourr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd166
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd166
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-gr1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfourr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfourr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@ope6
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@ope6
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 119/256
debug2: bits set: 510/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/myuserid/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/myuserid/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'ip2' is known and matches the RSA host key.
debug1: Found key in /home/myuserid/.ssh/known_hosts:3
debug2: bits set: 521/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: id_dsa2 (81570f8)
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_dsa2
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp
26:15:f3:32:49:75:16:eb:29:39:49:ea:27:db:a3:30
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key 'id_dsa2':
debug2: no passphrase given, try next key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
$

It still insists I send a passphrase.

WHY did PEM_read_PrivateKey fail?

Steve Cohen
Technical Architect
AT&T Relay Services

PROPRIETARY INFORMATION: Not for use or disclosure outside the AT&T family
of companies except under written agreement

-----Original Message-----
From: Barry Brimer [mailto:barry.brimer (at) bigfoot (dot) com [email concealed]]
Sent: Thursday, September 25, 2008 4:47 PM
To: COHEN, STEVEN M (ATTSI)
Subject: Re: keys not recognized in Unixware --> RedHat Connection

Quoting "COHEN, STEVEN M (ATTSI)" <myuserid (at) att (dot) com [email concealed]>:

> I am trying to connect via ssh from a box running UnixWare 5 7.1.3
> which has OpenSSH installed at version OpenSSH_5.0p1, OpenSSL 0.9.8g
> 19 Oct 2007 to a box running Linux 2.6.9-78.0.1.EL #1 Tue Jul 22
> 17:50:01 EDT 2008 which has OpenSSH installed at version
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003.
>
> I find that the keys generated on the Unixware box are not accepted on
> the Linux box. This authentication always fails and I am forced to
> type the passphrase in every time.
>
> I did the following (using non-standard key name since I did not want
> to mess up existing connectivity):
>
> $ ssh-keygen -t dsa -f id_dsa2
> Generating public/private dsa key pair.
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in id_dsa2.
> Your public key has been saved in id_dsa2.pub.
> The key fingerprint is: ...
>
> Then, I copied id_dsa2.pub to the Linux box.
>
> and did the following on that box
>
> $ mv authorized_keys authorized_keys.bak $ cp id_dsa2.pub
> authorized_keys

The $HOME/.ssh directory should be user-owned 0700 and the
$HOME/.ssh/authorized_keys should be user-owned 0600. What do your perms
look like for these files?

0? *?H?÷
?0?10 +0? *?H?÷
?
c0?0??
x[µÒ$ó0
*?H?÷
0|1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople1*0(U!ATT ServicePass Basic Employee CA0
080402203009Z
090402204009Z0r1$0" *?H?÷
sc1478 (at) mwmail.att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople10USteven M Cohen:sc14780?0
*?H?÷
0?èî¼L<ûæ`=e¥MVk?ág¥ß¾??6ÐJ"ÄÐÎ6jRNºÉ>d??Üí,Û?ümèTØ6?FT?_È?»8É?<*»¢¬+<Èi§újòF Üê»/9?¾"æªåÕ?ÌÕl?® ??ëÛä¹?»ÙÄx?:?Cy?èd²3£?¨0?¤0U 0U%0+
+0U½¾?@>¤Î½¤6'5?.??0?0£U#?0??øva«³<Ñ#¨gô
ÐË?(g?¡t¤r0p1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT1
0UCorp1 0UATT ServicePass Root CA?
2g¿`
0L+@0>0<+0?0http://servicepass.att.com/aia/attspbasemp
ca.crt0AU:0806 4 2?0http://servicepass.att.com/crl/attspbasempca.cr
l0 U0sc1478 (at) mwmail.att (dot) com0 [email concealed]
*?H?÷
¬§/·»1j\`Ðû¨y?
§]ºHÒÉ?]:qg½¤ïæ6ñÅÄ2(¢zÏ???0?? ÒÄ1£Ô?îzêÜîXÖ£f*L =»?¨??r!?1ón¡F[C.¢X&¦|Õ¨2M´}õmf?}¹]r4ól?m¨^ÜÁ¶§u0?a0?I !
ñfY½Hù4ÊÍ?0
*?H?÷
0p1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT1
0UCorp1 0UATT ServicePass Root CA0
020620190620Z
220620191414Z0p1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT1
0UCorp1 0UATT ServicePass Root CA0?"0
*?H?÷
?0?
?©.oLÞ
Ix?I?bâ4_P<Ý«wg?ºz]ã$+ÓÖóu8¬?¼ÈÅº >o/Héÿì?Z?7¶@;¿$ê?VP&n½f©±ð×¿?3?ìYGµlÛ¹;°«
h^#ç
.UäêPïª¸£å?¹?¾³G#µQ¶lnXh'?çå%Ðç=ëó(Èqf?ãÉþBJ(>Ì¿äÈ´?i =NW?¤9v?g¹zëã?D§?ñNï&¨JôApq?ßþò¾?ÄñúUß
»Núf¤³Üxûìì?{}ö3ßC£[ù¤ãs'¾meùÅOxýÁ{-Ý£ö0ó0UÆ0Uÿ
0ÿ0UÛ"g,ÍLà?òR);7v?%eq?0?U80604 2 0?.http://servicep
ass.att.com/crl/attsprootca.crl0 +?70aU Z0X0V`?H?÷ 0G0E+9http://servicepass.att.com/policy/attsprootca/defaul
t.asp0
*?H?÷
?
°7Ü?_Qôñ©²øÊ«Ò#¯Ô?Ó¦=¹??ItüÕ$«¹åTc¡?MvÖe$`¯xÀéÇ;¼/¾l??<?Å?bè²<
Òh`¾x,CÎ#h¬À£ñÑ°?T¨FaN.0'ôAÅòè?Eî[ýÛË§¥¥)¤N^ü
¸'Ó$ùÒÃÖ?"Xh.ù}®'ÖÄÝÃ~ÄÏ¤*),ò¹Ë?ag??³Ñ´X9Xh?Ï0]ÕÅ??ÇÄ?`:öp?º98
®^ca÷íÔ@??üþþÆö¢"I ¡~øð??åÁH
Cg?¶Ë?¡{òÉÉÏ>þ?&HAEq?0?ß0?Ç
2g¿`
0
*?H?÷
0p1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT1
0UCorp1 0UATT ServicePass Root CA0
060518121549Z
110518122549Z0|1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople1*0(U!ATT ServicePass Basic Employee CA0?0
*?H?÷
0?áY`égÓKûWµ?J0??,kg÷,à¡À;ùG ü6ÒÕy¤;×À?nówCü?è¦ ?õó§.õ¾??ØÄ2?æ?_î? äõÃ×æFÐN°baÌRÒ|ô9EPFé÷.+P2´'û6år?Ý?ª´?ûx)ûO
ÅÉ]£?ñ0?í0 +?70Uøva«³<Ñ#¨gô
ÐË?(g?0cU \0Z0X`?H?÷ 0I0G+;http://servicepass.att.com/policy/attspbasempca/defa
ult.asp0UÆ0Uÿ0ÿ0©U#¡0??Û"g,ÍLà?òR);7v?%eq
?¡t¤r0p1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT1
0UCorp1 0UATT ServicePass Root CA?!ñfY½Hù4ÊÍ?0?U80604 2 0?.http://servicepass.att.com/crl/at
tsprootca.crl0J+>0<0:+0?.http://servicepass.att.com/ai
a/attsprootca.crt0
*?H?÷
??ðXÂ\Å7?,;½T?'?Íäp?
?Á=üéùK3! üO?zúÕ[%?g?µ>é" ?¯é¼??ørðù.!®FÕùê¹*ÎPÅ?¨ä?ÖÚÀÿC4?R??1)?¥Ùô8?õ£q_A«]??0
ÏßÄn>ÁúF°xÚ¾¬¦,"lúÜÂ?±X{Hu?5b?ïI?bSË±5µuxÄä½x\?Ê²ÎCÆle.e»?Ýõ???¸êÎr
Ð?büÎe??QÂh?ØB=÷Æ¥t ð0?G¾·;åÏh./`<?Dg0?2`¿|ý³×Ñ1?90?50?0|1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople1*0(U!ATT ServicePass Basic Employee CA
x[µÒ$ó0 + ?0 *?H?÷
1 *?H?÷
0 *?H?÷
1
080925222310Z0# *?H?÷
1<hm+:?/7?ñG\?î?Ïc0g *?H?÷
1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0? +?710?0|1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople1*0(U!ATT ServicePass Basic Employee CA
x[µÒ$ó0*?H?÷
1 ?0|1"0 *?H?÷
rm-pkiadmin (at) att (dot) com1 [email concealed]0 UUS10
U
ATT10
UPeople1*0(U!ATT ServicePass Basic Employee CA
x[µÒ$ó0
*?H?÷
?»?éä??4MË?T¥Õæ??ÅÚ½fÚÐ5~?â0ê?¼©ª·Ó#ºIÞ!
/^?ã<÷Ã"3þE??C!ü23?Í´?º±?ñ¥¹d?(Yé[pL±?'N:[è??(gi8ÀéòP®¹u×LtÑ
>b?þ7h¿Ç??

[ reply ]