Sftp Key Authentication Issue

Hello,

We have an issue attempting to login from a Unix Solaris to an NT server using key authentication. I will attempt to provide you with as much of the relevant information regarding the way the system is set up, although I'm workingin solely on the Unix side, so don't have full access to how the NT server is set up.

The version of ssh that we're running is:-

bash-3.00$ ssh2 -V
ssh2: F-Secure-SSH-2.3.1 (build 7) on sparc-sun-solaris2.8

The public/private keys that I created (with no passphrase) are in the following format:-

bash-3.00$ more batchftp_uat.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: genevaz
Comment: "2048-bit rsa, genevaz@nsufu351, Wed Apr 29 2009 16:02:21"
AAAAB3NzaC1yc2EAAAABIQAAAQEArY1INXO1O1OYKMftSSqWMu0yCEth4RxZWbLgDfyh9j
...etc...
HyzYkalbK0IxCTwxILud5dmhVDj4C0w9eCiP7DJF9+Fvk7eq6hwTfsCZxrJO9RPPxTGjds
3acg4fKft64II8QpOYVw==
---- END SSH2 PUBLIC KEY ----
bash-3.00$ more batchftp_uat
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: genevaz
Comment: "2048-bit rsa, genevaz@nsufu351, Wed Apr 29 2009 16:02:21"
P2/56wAAA+oAAAA0aWYtbW9kbntzaWdue3JzYS1wa2NzMS1tZDV9LGVuY3J5cHR7cnNhLX
...etc...
eBjpNEZbOg1KIyDyvPLcKqDypisoenOLd1wZSgdB5QptSE0qI7v4GawDJ9jAU5Sz/e3eeI
TWFGjR
---- END SSH2 ENCRYPTED PRIVATE KEY ----

These are both in the .ssh2 directory of the account that I'm connecting from. Also in that directory are the following files:-

bash-3.00$ more identification
IdKey batchftp_uat
bash-3.00$ more authorization
key batchftp_uat.pub

Below is the output of what happens (with maximum debug) when I attempt to login to the remote server:-

bash-3.00$ sftp -D 99 "hnah\svc-us-sftp-hbeuie@mxssh01"
SshEventLoop/sshunixeloop.c:412: Registered signal 1.
SshEventLoop/sshunixeloop.c:412: Registered signal 2.
SshEventLoop/sshunixeloop.c:412: Registered signal 15.
SshEventLoop/sshunixeloop.c:412: Registered signal 6.
SshEventLoop/sshunixeloop.c:412: Registered signal 22.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 0.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 1.
SshEventLoop/sshunixeloop.c:412: Registered signal 20.
SshFSM/sshfsm.c:479: Spawning a new thread starting from `finalize_initialization'.
SshFSM/sshfsm.c:243: Added ptr afbcc ('finalize_initialization') to hash table.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:596: Starting the event loop.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshFSM/sshfsm.c:326: Entering the scheduler.
SshFSM/sshfsm.c:381: Thread continuing from state `finalize_initialization' (Finalize initialization).
SshFSM/sshfsm.c:243: Added ptr af28c ('get_command') to hash table.
SshFileCopy/sshfilecopy.c:909: Making local connection.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshFSM/sshfsm.c:462: Reactivating an already active thread (do nothing).
SshFSM/sshfsm.c:381: Thread continuing from state `get_command' (Prepare to read a command from user).
SshFSM/sshfsm.c:243: Added ptr af38c ('command_open') to hash table.
SshFSM/sshfsm.c:381: Thread continuing from state `command_open' (Open a connection to destination host).
SshFSM/sshfsm.c:243: Added ptr af3e8 ('command_finalize_open') to hash table.
SshFileCopy/sshfilecopy.c:928: Connecting to remote host. (host = hnah\svc-us-sftp-hbeuie@mxssh01, user = (null), port = (null))
Sftp2/sftp2.c:2390: argv[0] = ssh2
Sftp2/sftp2.c:2390: argv[1] = -v
Sftp2/sftp2.c:2390: argv[2] = -x
Sftp2/sftp2.c:2390: argv[3] = -a
Sftp2/sftp2.c:2390: argv[4] = -o
Sftp2/sftp2.c:2390: argv[5] = passwordprompt %U@%H's password:
Sftp2/sftp2.c:2390: argv[6] = -o
Sftp2/sftp2.c:2390: argv[7] = nodelay yes
Sftp2/sftp2.c:2390: argv[8] = -o
Sftp2/sftp2.c:2390: argv[9] = authenticationnotify yes
Sftp2/sftp2.c:2390: argv[10] = hnah\svc-us-sftp-hbeuie@mxssh01
Sftp2/sftp2.c:2390: argv[11] = -s
Sftp2/sftp2.c:2390: argv[12] = sftp
SshEventLoop/sshunixeloop.c:412: Registered signal 18.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 5.
SshEventLoop/sshunixeloop.c:524: Registered file descriptor 4.
Sftp2/sftp2.c:2206: notification: 0
SshFSM/sshfsm.c:397: Thread suspended in state `command_finalize_open'.
SshFSM/sshfsm.c:367: No active threads so return from scheduler.
SshEventLoop/sshunixeloop.c:738: Select timeout: 0 seconds, 0 usec.
SshEventLoop/sshunixeloop.c:797: Select.
Sftp2/sftp2.c:2206: notification: 1
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:338: Timeout registered at 1242394577.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:738: Select timeout: 0 seconds, 0 usec.
SshEventLoop/sshunixeloop.c:797: Select.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:684: Calling a timeout callback.
SshEventLoop/sshunixeloop.c:797: Select.
debug: hostname is 'mxssh01'.
debug: Unable to open /home/users/genevaz/.ssh2/ssh2_config
debug: connecting to mxssh01...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:107: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:107: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1105: creating userauth protocol
debug: Ssh2Common/sshcommon.c:489: local ip = 128.8.73.35, local port = 36290
debug: Ssh2Common/sshcommon.c:491: remote ip = 161.4.55.155, remote port = 22
debug: SshConnection/sshconn.c:1853: Wrapping...
debug: Ssh2Transport/trcommon.c:591: Remote version: SSH-2.0-6.0.1.16 SSH Tectia Server
debug: Ssh2Transport/trcommon.c:1095: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1098: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Client/sshclient.c:399: Host key found from database.
debug: Ssh2Common/sshcommon.c:297: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:347: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:780: adding keyfile "/home/users/genevaz/.ssh2/batchftp_uat" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:331: Constructing and sending signature...
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:425: ssh_client_auth_pubkey_send_signature: reading /home/users/genevaz/.ssh2/batchftp_uat
debug: Ssh2AuthPasswdClient/authc-passwd.c:82: Starting password query...
hnah\svc-us-sftp-hbeuie@mxssh01's password:

As you'll see it prompts for a password - if I enter the password, I can login to the server successfully. So, my main questions are, can you see anything that's not set up correctly on the Unix side? If not, what can I get the admin guy on the NT side to check? Also, when I attempt to login, should there be any logfiles that shows my connection, and why it's not authenticating correctly? If so, where are the located?

Please let me know if there's any other information that would help us to solve this issue.

Thanks in advance,

Steve Burch

1. You should not publish keys - your system is now wide open
2. In unix the keys go in the home directory of the user under the .ssh directory -- permissions on .ssh == 700.
3. The user's home directory should not be world writable.

Hi Jim,

Thanks for your feedback - I only though my system would be wide open if I'd published the whole keys, but I do stand to be corrected.

My understanding was that it was only Openssh that would use the .ssh directory, whereas the F-Secure version used .ssh2. I did actually remove the .ssh directory completely, and it didn't make any difference regarding connectivity.

The user's home directory is 755, so isn't writable by the world.

I can only assume the issue is on the NT server side, and believe I'll just have to set up the interface with a password built in.

Thanks,

Steve

Hi,

After some assistance from the NT server support guys, it appears that the public key that I have sent them is in the wrong format (there's a KnowledgeBase article, ID 31930, posted on the ssh support website about key incompatibity) - according to one article, the following command should be run:-

Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the F-Secure SSH client) to OpenSSH (the format supported by OpenSSH servers). To do this, follow these steps:

1. On the command line, change to the .ssh directory in your user account.
2. Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace publickeyname.pub with the name of your public key:
   ssh-keygen -i -f publickeyname.pub >>authorized_keys
   My questions on this are:-
3. On which server is this meant to be run - the Unix or Windows?
4. It mentions .ssh directory, whereas the Windows server has a .ssh2 directory.
5. Is there a utility I can run this on the Unix server before transferring it to the Windows server. The options that I have are:-
   bash-3.00$ ssh-keygen -help

Usage: ssh-keygen [options] [key1 key2 ...]
Where `options' are:
-b nnn Specify key strength in bits (e.g. 1024)
-t dsa | rsa Choose the key type.
-c comment Provide the comment.
-e file Edit the comment/passphrase of the key.
-p passphrase Provide passphrase.
-P Assume empty passphrase.
-?
-h Print this help text.
-q Suppress the progress indicator.
-1 Convert a SSH 1.x key. (not implemented)
-i file Load and display information on `file'.
-D file Derive the private key given in 'file' to public key.
-B number The number base for displaying key information (default 10).
-V Print ssh-keygen version number.
-r file Stir data from file to random pool.
-F file Dump fingerprint of file.
Does anyone have any further input on this that may help me?

Thanks in advance,

Steve