Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 05-26-2006, 01:14 PM
rross rross is offline
Registered User
 
Join Date: May 2006
Posts: 10
Same keypair for securecrt and openssh?

I'm in a mixed environment .. Most of the times, I will initiate my ssh session from my laptop (WinXP) either through securecrt or cygwin/openssh or from my intermediary server (unix/openssh).

laptop -> intermediary server (unix) -> customer server (unix)

My requirment is to end up having only have 1 public key assigned even though I may come in from:

securecrt (laptop) -> intermediary server -> customer server
cygwin (laptop) -> intermediary server -> customer server
intermediary server (openssh) -> customer server

Some history:
I have been using sshclient to ssh into the intermediary server then from that session ssh to a customer server. I also created a tiny script on cygwin to call sshclient.exe through the command line incorporating port forwarding so I can directly have a terminal session on the customer server.

I now have the restriction that all my keys require a passphrase, so obviously, I require agent forwarding now and all public keys within the customer servers be assigned an owner (Which is why I want to have just one public key, whether I come from securecrt; openssh/cygwin or openssh/intermediary unix)

via cygwin (define a connection to the intermediary server than port forward to my customer's server)

keychain -id_rsa
ssh -l rross -L $lport:$host:22 relay.hub.company.com -N $log &
sleep 1
securecrt.exe /SSH2 /P $lport /L root /I d:/cygwin/home/rross/.ssh/id_
rsa localhost

The securecrt.exe still prompts me for my passphrase. I was able to use the /PASSPHRASE option to get arount this. What I would like is to retrieve the key from my ssh-agent.

via Windows (with securecrt pointing to my openssh key)

Use securecrt gui to ssh into the intermediary server

securecrt did not prompt for my passphrase and had to login to the intermediary server using my userid password

If I generated the key in securecrt (with passphrase) copy the private and public key (after converting the pub key to openssh format) the passphrase seems to get corrupted and openssh does not accept it.

I know this sounds confusing .. and my team and I have been banging our heads agains the wall with the new requirments without breaking all our automation.

Thanks for any pointers
Reply With Quote
  #2  
Old 05-26-2006, 02:35 PM
tnygren's Avatar
tnygren tnygren is offline
Registered User
 
Join Date: May 2005
Posts: 1,408
Hi Rross,

If I understand correctly, you would like to have one set of keys to use for all the connections.

Is that correct?

If so, this should be possible with a key pair generated by OpenSSH.

SecureCRT can read OpenSSH generated keys. Just copy the public and private keys from the OpenSSH machine that generated the key pair to all the other machines.

Set SecureCRT to use this key pair. This can be done by clicking the 'Properties' button after highlighting 'PublicKey' in the 'SSH2' sub-category under 'Connection' in the 'Session Options'.

Once the servers are configured to allow this key for your user, you should be able to use the same set of keys for all the connections.

Does using an OpenSSH generated key pair allow all the connections to use the same keys?
__________________
Thanks,

Teresa

Teresa Nygren
Reply With Quote
  #3  
Old 05-26-2006, 03:04 PM
rross rross is offline
Registered User
 
Join Date: May 2006
Posts: 10
Teresa,

This is what I have for Properties of Public Key

D:\cygwin\home\richard\.ssh\id_rsa

The problem is that it's not asking me for the passphrase and is trying to authenticate using password of the userid.

When I attempt through securecrt.exe under cygwin, I have to use the /PASSPHRASE option to make it work

Yet .. ssh under cygwin is working correctly (authenticating via my passphrase via ssh-agent)

Thanks again,

Richard
Reply With Quote
  #4  
Old 05-26-2006, 03:13 PM
rross rross is offline
Registered User
 
Join Date: May 2006
Posts: 10
Teresa,

Also, What would your recommendation be for agent forwarding?

Thanks again
Reply With Quote
  #5  
Old 05-26-2006, 03:33 PM
tnygren's Avatar
tnygren tnygren is offline
Registered User
 
Join Date: May 2005
Posts: 1,408
Hi Rross,

Quote:
This is what I have for Properties of Public Key

D:\cygwin\home\richard\.ssh\id_rsa

The problem is that it's not asking me for the passphrase and is trying to authenticate using password of the userid.

When I attempt through securecrt.exe under cygwin, I have to use the /PASSPHRASE option to make it work
Is 'PublicKey' the first option in the 'Authentication' box in the 'SSH2' sub-category?

If so, there could be something else happening.

To find out for certain, could you provide me with the 'Trace Option' output in an email to support@vandyke.com?

Just use a subject of ATTN: Teresa Forum Thread 1461 and it will get to me.
Quote:
Also, What would your recommendation be for agent forwarding?
I would recommend that both 'Add keys to agent' and 'Enable OpenSSH agent forwarding' be enabled in the 'SSH2' category of the 'Global Options' so that the private key can be stored in the OpenSSH agent if available.
__________________
Thanks,

Teresa

Teresa Nygren
Reply With Quote
  #6  
Old 05-26-2006, 05:27 PM
rross rross is offline
Registered User
 
Join Date: May 2006
Posts: 10
Teresa,

Ah ha .. Password authentication was the 1st one listed .. I changed the order so Public Key is first and now I'm being asked for the passphrase .. Thanks

Can you explain in some more detail on how agent forwarding works on securecrt? I have both 'Add keys to agent' and 'Enable OpenSSH agent forwarding' enabled. Does this spawn off another process? or is this something built into securecrt? What I would like to do is have the ability to enter my passphrase only once per windows boot. When I restarted securecrt I was prompted for the passphrase again .. Is this the way it works? Any way to piggy back on the ssh-agent process that I started from cygwin?
Reply With Quote
  #7  
Old 05-27-2006, 09:10 AM
jjh jjh is offline
VanDyke Customer Support
 
Join Date: Feb 2004
Posts: 815
Hello rross.

Agents are programs that work in the background gathering
information or performing small processing tasks. In
SecureCRT, the implemented agent temporarily holds private
keys for use with public-key authentication to multiple
remote hosts.

If you use passphrases to protect your private keys, and you
need to connect to many servers using the same key pair, you
can have the agent cache your unencrypted private key so
that you don't have to enter your passphrase for every
machine. If you enable the "Add Keys to Agent" setting, you
can enter your passphrase the first time you need to use
your private key and as long as your agent has not been
flushed, you can connect to any other server that has the
corresponding public key.

Agent forwarding is using the agent to connect to a remote
machine through another remote machine

To connect to the destination machine without using the
agent, you would have to transfer your public key to both
the intermediate and destination hosts and you would have to
store your private key on the intermediate machine as well
as on your local machine.

With the agent enabled, it acts as your proxy in
authenticating to the destination host and allows you to
keep your private key on just the local machine.

Note: Agent forwarding will only work if all intermediate
machines are OpenSSH agent protocol servers running
SSH2. Destination servers must be running SSH2 but do
not have to be OpenSSH agent protocol servers.

You can read more about using the Agent in the SecureCRT
Help in the "Secure Connections" \ "Using the Agent"
category of the Help.

Does this help you?

Thank you

JJH
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 01:29 PM.