phoenixgarage.org

 Projects: Making SSH and OpenSSH Play Nice
Posted on 2008-06-06 @ 19:27:47 by r00t

Towards the end of the development of the new "look and feel" for this site, I ran into an interesting issue when I attempted to implement an automatic authentication scheme between my development server and and the virtual server my site is hosted on. The issue turned out to be easy to resolve, but learning how to do so required me to perform many Google searches before I had the correct answer.


My development server has OpenSSH (new window) installed, while the web hosting server has SSH (new window) installed. I didn't get very far by following the many resources I found on the internet, nor did reading the man pages for the tools help either. No matter what I tried, the OpenSSH client on my end would not automatically authenticate with SSH server on the other end. I found that on the internet, discussions focused mainly on either both the client and server running either SSH or OpenSSH. Very little was said about what tricks were needed in order to configure things to get OpenSSH to talk with SSH.

It turned out mainly to be due to an "undocumented" (well, at least, my man page on my development server says nothing about it) switch within the SSH keygen application. The tutorial that follows should hopefully help others in a similar situation.

Configuring Automatic Authentication using SSH and OpenSSH

  1. On the local machine (running OpenSSH), generate the public/private DSA key pair (since a DSA key is all that this version of SSH would understand. However, if both ends of your setup understand RSA or another key generation standard, I imagine that you can use those as well):

    ssh-keygen -t dsa

    By default (if you simply hit return at the prompts), this will generate two files, id_dsa and id_dsa.pub, which are the private and public keys generated, respectively. The program will ask you for a passphrase - you can simply hit return, or for better security, input one.

    These files will be create in the ~/.ssh directory. You will want to change the permissions on this directory as well for better security:

    chmod 700 ~/.ssh

    You may also want to perform the same operation on the files within this directory as well, again, for increased security:

    cd ~/.ssh
    chmod 700 *
  2. Change to the ~/.ssh directory on the local machine, and convert the generated DSA public key (id_dsa.pub) to one that is compatible with SSH:

    ssh-keygen -x -f id_dsa > ssh2.dsa.pub

    This will take the original private key (id_dsa), and create an SSH compatible public key (ssh2.dsa.pub) in the directory.

  3. SSH into the remote machine, and create the .ssh2 directory in your home directory (~/) to hold the public key, and set the permissions:

    mkdir .ssh2
    chmod 700 .ssh2

  4. From the local machine, transfer the ssh2.dsa.pub file (the public key) to the remote machine, via either sftp or scp, into the ~/.ssh2 directory:

    scp ssh2.dsa.pub user@remoteserver.com:/home/user/.ssh2/id_dsa.pub

    Replace "user@remoteserver.com" with the name of your account and domain of the remote server. You will be asked to input your password to complete the transfer.

  5. SSH into the remote machine, and cd to ~/.ssh2. You should find the id_dsa.pub file you transferred.
  6. Create the file to tell SSH where to find the public key as follows:

    echo "Key id_dsa.pub" > ~/.ssh2/authorization
  7. Change the permissions on the files as follows for added security:

    chmod 700 *
  8. Everything should now be set up properly. On the local machine, you should now be able to use ssh as follows (where "user@remoteserver.com" is the name of your account and domain of the remote server):

    ssh -v user@remoteserver.com

    You will be automatically logged into the remote server (remoteserver.com) via ssh. In a similar fashion, you can do the following:

    sftp user@remoteserver.com

    and you will be automatically logged in using sftp.

So...What is the secret?

Step 2 is where the magic occurs:

ssh-keygen -x -f id_dsa > ssh2.dsa.pub

This does generate a compatible key - the secret is the -x parameter. It isn't mentioned in the OpenSSH documentation:

http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen (new window)

But it is mentioned in the SSH documentation:

http://www.ssh.com/support/documentation/online/ssh/winhelp/53/ssh-keygen-g3.html (new window)

Wherein it states:

-x file
    
        Converts a private key from the X.509 format to the SSH2 format.

This is what the problem was - I couldn't generate a public/private DSA key pair that both SSH and OpenSSH would mutually understand. Passing this special flag to the keygen utility allows it to convert the private key of one format into the public key in the alternate format. What is interesting is that this flag appears to work under OpenSSH - though it isn't documented in the OpenSSH documentation! Weird, and a bit frustrating.

I wish to thank "glorpo2" for the information about this special flag, as found in his or her post at this URL (scroll to the bottom):

http://www.experts-exchange.com/Security/Unix_Security/Q_20816892.html (new window)

Without learning about that, I might still be writing code, instead of composing articles. THANK YOU!!!

Share This Article

    

Questions or Comments?

If you have any questions or comments about this article, please contact me...

0 comment(s) posted
Post New Thread