Re: Using public key pair to authenticate

Peter,

I deliver support for the F-Secure SSH products and have this question
come up numerous times,  Gary is right that the key formats are
different, however I would not generate a new public key from the
private. The best thing to do would be to convert the public key into
a SECSH format (which SSH.com and F-Secure SSH implementations
support). To do this, follow the instructions below:

1. Generate the client keypair in OpenSSH using the command: 
ssh-keygen -b 1024 -t rsa -f mykey

This creates the private key "mykey" and the public key "mykey.pub"
 
2. Next I would convert my public key using the command: 
ssh-keygen -e -f mykey.pub > mykey-secsh.pub

This will convert my public key into SECSH format and output to mykey-secsh.pub.
 
3. Copy the converted public key over to the SSH Server and place it
in the users $HOME/.ssh2 folder
 
4. Add the following line to the "authorization" file in the users
$HOME/.ssh2 folder:
 
key mykey-secsh.pub
 
This should be all you need to do in order for public key
authentication to work from an OpenSSH client.

You may want to double check the syntax for the authorization file,
this is specific to the F-Secure implementation.

Gary - Copying the client binaries to another machine would violate
your licence agreement with ssh.com, so you should be careful with
this approach.

HTH,

Nathan


On Wed, 24 Nov 2004 18:43:03 +0800, Tay, Gary <gary_tay@platts.com> wrote:
> Both servers you mentioned should also have client command files.
> (typically in /usr/local/bin).
>
> I have noticed that you are having SSH products from different vendors,
> I believe the "SSH Secure Shell 3.2.0" is from SSH Communications
> http://www.ssh.com which has similar config files as F-Secure SSH
> (http://www.fsecure.com), while OpenSSH is from http://www.openssh.org,
> which has similar config files as SUN's Solaris as SUN SSH is derived
> from OpenSSH.
>
> The SSH keys generated among these two "CAMP"s ARE NOT compatible, your
> choices are:
>
> 1) Convert the key from one format to suit the other, read the "man
> ssh-keygen" page for details:
>
>      -x    Reads a private OpenSSH DSA format file and prints  an
>            SSH2-compatible public key to stdout.
>
>      -X    Reads an unencrypted SSH2-compatible private (or  pub-
>            lic) key file and prints an OpenSSH compatible private
>            (or public) key to stdout.
>
> I don't fancy this approach.
>
> 2) Copy the needed SSH client command files from the SSH Server (SSH
> Communications), into a tar file and untar them onto the SSH Client
> (OpenSSH Server) ONTO A DIFFERENT LOCATION, eg: /home/fsecure/bin or
> /home/ssh-com/bin, write a script to check target SSH Server's "BRAND"
> and use the corresponding version of SSH client command.
>
> I have done this in my "three script based multi-server system health
> monitoring", check up a chk_remote_host.sh script and others at my home
> page that has many other goodies as well.
>
> ...
> SSH_BRAND=`cat hosts.par | grep -v "^#" | grep -i "HOST=$HOST" | grep
> "SSH_BRAND=" | cut -d',' -f2 | cut -d'=' -f2`
> # Pls customize for different brand of SSH client softwares
> # You must install different SSH client sw in different directory
> # on the monitoring server if you would like to monitor servers with
> # different SSH sw, otherwise you must take the trouble to convert the
> # keys between them
> case "$SSH_BRAND" in
>    SUN-SSH) SCP="/usr/bin/scp";
>             SSH="/usr/bin/ssh";;
>    OPENSSH) SCP="/usr/local/bin/scp";
>             SSH="/usr/local/bin/ssh";;
>    SSH-COM) SCP="/opt/ssh/bin/scp";
>             SSH="/opt/ssh/bin/ssh";;
>    FSECURE) SCP="/home/fsecure/bin/scp";
>             SSH="/home/fsecure/bin/ssh";
>             PATH=/home/fsecure/bin:$PATH; export PATH;;
>    *) echo "SSH Brand of $HOST not defined in hosts.par"; exit 1
> esac
> ...
>
> http://web.singnet.com.sg/~garyttt/chk_remote_hosts.zip
>
> http://web.singnet.com.sg/~garyttt
>
> Hope these help.
>
> Rgds
> Gary
>
>
>
>
> -----Original Message-----
> From: Tay, Gary
> Sent: Wednesday, November 24, 2004 6:11 PM
> To: 'Loo, Peter'; secureshell@securityfocus.com
> Subject: RE: Using public key pair to authenticate
>
> You may search SUN's BigAdmin portal or Google for "authorized_keys".
> Some good ones:
>
> http://www.sun.com/bigadmin/features/articles/sec_shell_1.html
> http://www.sun.com/bigadmin/features/articles/sec_shell_2.html
>
> Most people would start SSH server in debug mode, "sshd -d", and also
> test ssh client connection using vervose mode, "ssh -v remotehost"
>
> Gary
>
> -----Original Message-----
> From: Loo, Peter [mailto:Peter.Loo@bannerhealth.com]
> Sent: Wednesday, November 24, 2004 7:58 AM
> To: secureshell@securityfocus.com
> Subject: Using public key pair to authenticate
>
> Hi,
>
> I am working with two Unix servers running AIX 5.2.  One server is
> running "OpenSSH_3.6.1p2-CERT-patched, SSH protocols 1.5/2.0, OpenSSL
> 0x009060df" while the other is running "SSH Secure Shell 3.2.0".
>
> I created the key pair on the server with OpenSSH using "ssh-keygen".  I
> named the output files as (identity & identity.pub).  Then I copied the
> contents of "identity.pub" to the file named authorized_keys on the
> server with "SSH Secure Shell 3.2.0".
>
> When I try connecting to the remote server, I am asked to type in the
> password.  Apparently the public key authentication method is not
> working.
>
> Can someone shed some light for me?
>
> Thanks.
>
> Peter