Date: Thu, 22 Feb 2001 15:41:52 -0600 (CST) From: "Jonathan D. Dunfee" <jdunfee@home.com> To: Peter Pentchev <roam@orbitel.bg> Cc: jdunfee@acm.org Subject: [OT] ssh.com SSH 2.0.13 - OpenSSH interoperability problem Message-ID: <14997.34720.863814.315334@C126508-B.rchdsn1.tx.home.com> In-Reply-To: <20010222174339.F440@ringworld.oblivion.bg> References: <20010222174339.F440@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
I forgot to CC' the security list with this reply to
Peter Pentchev's question.... I believe CC'ing is correct
for responses to this list?
Jon
=====
Peter,
I'm not sure trying to "share" config files between OpenSSH
and SSH is a good thing. I think it will only lead to heartache.
I keep the two separate. Here's what I do to go from an OpenSSH
box to an SSH server (>2.2.0):
On OpenSSH side:
(we'll call this machine openssh_host.home.net; we'll call the
commercial machine commssh.work.net)
1) Generate an Open ssh pub/private key with ssh-keygen:
example$ ssh-keygen -d -f commssh_host
This will create a private called commssh_host and public
key called commssh_host.pub. I like to have my keys called
by hostname to help keep them straight.
2) Create an SSH compatible key:
example$ ssh-keygen -f commssh_host -x > commssh_host_SSH.pub
The file commssh_host_SSH.pub contains the key for SSH.
3) In your ${HOME}/.ssh dir create a file called config with
a specification to use this key pair for the remote host.
Here is an example from my home FreeBSD box:
example$ cat config
Host *
ForwardAgent no
ForwardX11 yes
FallBackToRsh no
Protocol 2
Cipher blowfish
UsePrivilegedPort no
Port 22
# use special key for this site
# i always use IP's but hostnames are fine too.
Host 33.33.33.33
IdentityFile2 commssh_host
example$ ls -l config
-rw-r--r-- 1 jdunfee jdunfee 214 Feb 22 14:54 config
4) Somehow move the commssh_host_SSH.pub to the remote host
running commercial SSH (commssh.work.net).
On commercial SSH side:
(all the following assume "UserConfigDirectory" is ${HOME}/.ssh2)
1) Move remote_host_SSH.pub to ${HOME}/.ssh2.
I move the file from commssh_host_SSH.pub to the name of
the machine I'll be coming from. I realize this means two file
names for the same file on different machines, but I like
to keep things in perspective of the machine I'm currently on.
So, I do:
example$ mv commssh_host_SSH.pub openssh_host.home.net.pub
2) Now add a line to ${HOME}/.ssh2/authorization so the key is recognized:
example$ echo "Key openssh_host.home.net.pub" >> authorization
3) That's it (I think). You're now ready to go. (assuming everything else
is okay with the SSH server).
Note that if you're trying to run both on the same machine,
SSH uses /etc/ssh2 and ${HOME}/.ssh2 by default and OpenSSH
uses /etc/ssh and ${HOME}/.ssh by default. Even on machines
where I have both installed, I keep these separate entities.
There are enough subtle and not so subtle differences between
the two that trying to share files (even soft links) can
make life confusing.
You might want to check out http://www.openssh.com/faq.html.
There are some items listed here you'll want to be aware of.
Hope this helps,
Jon
Peter Pentchev writes:
> OK, so I'll admit that I might not have been RTFM'ing enough, but..
> Are OpenSSH and ssh.com's SSH DSA public keys compatible? I have
> a public key, generated by OpenSSH's ssh-keygen -d, and it works fine
> when connecting to an OpenSSH server. However, with an ssh.com's SSH
> server, I have the following in my ~/.ssh2/authorization file:
> Key /home/roam/.ssh/authorized_keys2
>
> ..and /home/roam/.ssh/authorized_keys2 is the public portion of the key
> (one line, starting with ssh-dss, ending with roam@ringworld.oblivion.bg)
>
> And yet..
>
> debug: authentications that can continue: publickey,password
> debug: next auth method to try is publickey
> debug: try pubkey: /usr/home/roam/.ssh/id_dsa
> debug: read DSA private key done
> debug: sig size 20 20
> debug: datafellows
> debug: we sent a publickey packet, wait for reply
> debug: authentications that can continue: publickey,password
>
> ..and it asks me for a password.
> Is there something more I need to do?
>
> G'luck,
> Peter
>
> --
> This would easier understand fewer had omitted.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Jonathan D. Dunfee
jdunfee@acm.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14997.34720.863814.315334>