Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 07-22-2005, 02:38 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Thumbs down SecureCRT private/public key auth failing

Hi,

Having problems getting the private/public key auth to work from within SecureCRT. The server doesn't even register that I'm talking to it. So it appears I'm not even getting off my box. Any help would be greatly appreciated!

Thanks,

Tami
Reply With Quote
  #2  
Old 07-22-2005, 03:46 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 378
Hi Tami,

What version of ssh is your server running? What version of SecureCRT? Did you generate your public/private keys from within SecureCRT?

With more info, any number of us can probably help
__________________
----------------------------------------------
Tom O'Loughlin
Reply With Quote
  #3  
Old 07-22-2005, 03:48 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Question Verbose output of vsh.exe in attempting to logon to server.

Please see the appended text info for the verbose output of vsh.exe

---------------BEGIN TEXT--------------------------

C:\Documents and Settings\tamitutor\Application Data\VanDyke>vsh -2 -v -acceptho
stkeys -auth publickey -noprompt -i Identity.pub -l tamitutor 192.168.1.20>debug
.txt
VSH version 5.0.0 (build 62) starting. (Using SSH2Core version 3.1.0.545.)
[LOCAL DEBUG] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
.
[LOCAL DEBUG] : Using protocol SSH2
[LOCAL DEBUG] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.6.1p2"
[LOCAL DEBUG] : CAP : Remote can re-key
[LOCAL DEBUG] : CAP : Remote sends language in password change requests
[LOCAL DEBUG] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL DEBUG] : CAP : Remote sends algorithm name in public key packets
[LOCAL DEBUG] : CAP : Remote sends algorithm name in signatures
[LOCAL DEBUG] : CAP : Remote sends error text in open failure packets
[LOCAL DEBUG] : CAP : Remote sends name in service accept packets
[LOCAL DEBUG] : CAP : Remote includes port number in x11 open packets
[LOCAL DEBUG] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL DEBUG] : CAP : Remote supports new diffie-hellman group exchange message
s
[LOCAL DEBUG] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL DEBUG] : CAP : Remote correctly encodes OID for gssapi
[LOCAL DEBUG] : CAP : Remote correctly uses connected addresses in forwarded-tc
pip requests
[LOCAL DEBUG] : SEND : KEXINIT
[LOCAL DEBUG] : RECV : Read kexinit
[LOCAL DEBUG] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE.

[LOCAL DEBUG] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha
1,diffie-hellman-group1-sha1
[LOCAL DEBUG] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL DEBUG] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL DEBUG] : Selected Host Key Algo = ssh-dss
[LOCAL DEBUG] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc
,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
[LOCAL DEBUG] : Selected Send Cipher = aes256-cbc
[LOCAL DEBUG] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc
,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
[LOCAL DEBUG] : Selected Recv Cipher = aes256-cbc
[LOCAL DEBUG] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-ripemd160,h
mac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL DEBUG] : Selected Send Mac = hmac-sha1
[LOCAL DEBUG] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-ripemd160,h
mac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL DEBUG] : Selected Recv Mac = hmac-sha1
[LOCAL DEBUG] : Available Remote Compressors = none,zlib
[LOCAL DEBUG] : Selected Compressor = none
[LOCAL DEBUG] : Available Remote Decompressors = none,zlib
[LOCAL DEBUG] : Selected Decompressor = none
[LOCAL DEBUG] : SEND : KEXDH_GEX_REQUEST
[LOCAL DEBUG] : RECV : KEXDH_GEX_GROUP
[LOCAL DEBUG] : RECV : DH Prime is 1535 bits
[LOCAL DEBUG] : SEND : KEXDH_INIT
[LOCAL DEBUG] : RECV : KEXDH_REPLY
[LOCAL DEBUG] : SEND : NEWKEYS
[LOCAL DEBUG] : Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS.
[LOCAL DEBUG] : RECV : NEWKEYS
[LOCAL DEBUG] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION.
[LOCAL DEBUG] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL DEBUG] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL DEBUG] : SENT : USERAUTH_REQUEST [none]
[LOCAL DEBUG] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL DEBUG] : SENT : USERAUTH_REQUEST [publickey - unsigned,fingerprint: 8a:48
:3a:8d:b8:eb:0a:54:b2:6e:70:78:ec:9c:ac:be]
[LOCAL DEBUG] : RECV : USERAUTH_FAILURE, continuations [publickey]
Public key authentication error.
Public-key authentication with the SSH server for
user tamitutor failed. Please verify username and
public/private key pair.
[LOCAL DEBUG] : SEND: Disconnect packet: Unable to authenticate using any of the
configured authentication methods.
[LOCAL DEBUG] : Changing state from STATE_CONNECTION to STATE_SEND_DISCONNECT.
Disconnecting from server: Unable to authenticate using any of the configured au
thentication methods.
[LOCAL DEBUG] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED.
[LOCAL DEBUG] : Connected for 0 seconds, 1522 bytes sent, 1764 bytes received

C:\Documents and Settings\tamitutor\Application Data\VanDyke>
-----------------END TEXT----------------------

Any help is greatly appreciated! (Help me, please!?!)

Tami
Reply With Quote
  #4  
Old 07-22-2005, 03:53 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Smile More info

Toloughlin--
SSH version: SSH2
SecureCRT version: 5
Yes, I did generate public/private keys from within SecureCRT.

I don't have access to the server. I sent my Identity.pub to the current admin, he's supposedly added the key in the .ssh/ directory on the server which is a Redhat ES box. The encryption algorithm used for creating the keys is DSA.
Reply With Quote
  #5  
Old 07-22-2005, 04:07 PM
bocks's Avatar
bocks bocks is offline
VanDyke Customer Support
 
Join Date: Jan 2004
Location: Albuquerque, NM
Posts: 184
Hi tamitutor,

From the log, it looks like you are able to communicate with the ssh server just fine. But it is not recognizing your public key.

Do you know whether or not the sysadmin converted the .pub file intothe proper format for OpenSSH? He should hav done something like this:

Code:
% ssh-keygen -i -f /homedir/.ssh/identity.pub >> /homedir/.ssh/authorized_keys
If not, then OpenSSH may not be able to read the key.

Thanks,

-bocks
Reply With Quote
  #6  
Old 07-22-2005, 04:51 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Question ssh-keygen does not solve the problem

Hi bocks,

Thanks for the suggestion. Using the ssh-keygen tool did not seem to resolve the problem. when you say the server may not be able to read the key, what do you mean by that? should i generate with putty-gen (OpenSSH format), then import? (If that's possible.)

Tami
Reply With Quote
  #7  
Old 07-22-2005, 09:25 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Angry Standard OpenSSH2 keys

Nothing seems to be working and I've been all-over the internet trying to figure this out. If anyone can give me a good explanation as to why this is still failing inspite of following everyone's advice/ideas, I'd appreciate it. I think it is failing on the client side, BTW.
Reply With Quote
  #8  
Old 07-22-2005, 10:23 PM
tamitutor tamitutor is offline
Registered User
 
Join Date: Jul 2005
Posts: 6
Putty works and your software doesn't!

Hi,

I finally got it working with Putty. I created the private/public key pair on the server. Copy and pasted the private key into a local file, then imported the private key via puttygen. Then I pointed putty to use this private key that was originally generated on the server. And...VOILA! It works like a charm. I'm sending SecureCRT back!

PS. If you don't have access to the server to use ssh-keygen then get a version of openSSH for your platform (if you're on a Windows platform you can use PuttyGen or download Cygwin and install).

Thanks for nothing!

Tami

Last edited by tamitutor; 07-22-2005 at 10:28 PM.
Reply With Quote
  #9  
Old 07-22-2005, 10:54 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 378

OUCH
__________________
----------------------------------------------
Tom O'Loughlin
Reply With Quote
  #10  
Old 07-22-2005, 11:49 PM
bocks's Avatar
bocks bocks is offline
VanDyke Customer Support
 
Join Date: Jan 2004
Location: Albuquerque, NM
Posts: 184
Hi Tami,
Quote:
Originally Posted by tamitutor
Thanks for the suggestion. Using the ssh-keygen tool did not seem to resolve the problem. when you say the server may not be able to read the key, what do you mean by that? should i generate with putty-gen (OpenSSH format), then import? (If that's possible.)
The problem that you are seeing is due to OpenSSH not being able to read the .pub file natively. The public key format is defined in the IETF Secure Shell draft and is used by SecureCRT. OpenSSH uses their own format. In order to maintain compatibility, they designed the ssh-keygen utility to be able to import and export public keys into the IETF defined format.

In your question about using putty-gen to generate the keys, this may work, but not because of a difference in how OpenSSH handles keys, but because SecureCRT can read both public and private keys that are in the OpenSSH format. You just need to make sure that both keys are in the same directory and point SecureCRT to them.

Quote:
Originally Posted by tamitutor
Nothing seems to be working and I've been all-over the internet trying to figure this out. If anyone can give me a good explanation as to why this is still failing inspite of following everyone's advice/ideas, I'd appreciate it. I think it is failing on the client side, BTW.
...
Quote:
Originally Posted by tamitutor
Code:
[LOCAL DEBUG] : SENT : USERAUTH_REQUEST [publickey - unsigned,fingerprint: 8a:48
:3a:8d:b8:eb:0a:54:b2:6e:70:78:ec:9c:ac:be]
[LOCAL DEBUG] : RECV : USERAUTH_FAILURE, continuations [publickey]
Public key authentication error.
Public-key authentication with the SSH server for
user tamitutor failed. Please verify username and
public/private key pair.
This section of the log file shows that vsh is sending trying to send the private key to the server. The server is then returning an error stating that public key authentication failed. In order to determine why the server rejected the authentication attempt, we would need to see the server log file entries for this session. It is possible that there was an error in the key, but we do not know the cause of the rejection without seeing the server log.
Quote:
Originally Posted by tamitutor
I finally got it working with Putty. I created the private/public key pair on the server. Copy and pasted the private key into a local file, then imported the private key via puttygen. Then I pointed putty to use this private key that was originally generated on the server. And...VOILA! It works like a charm. I'm sending SecureCRT back!
I am sorry to hear that SecureCRT did not meet your expectations. While I can understand your frustration in being unable to authenticate with the OpenSSH server using public key authentication, we would still like to determine what happened to cause this failure in order to prevent another user from having to experience the same frustration. Would you be willing to help us determine the exact cause of this failure? You can reach me via email to Support@vandyke.com with a subject of Attn: Shannon Re: Public key Authentication problem from Forums.
This will ensure that I get your message. I will be checking mail later tomorrow (Sat. 24 Jul. 2005) for your message or reply here on the Forums.

Thanks,

-bocks
Reply With Quote
  #11  
Old 09-26-2005, 09:42 PM
Chris Nicotra Chris Nicotra is offline
Registered User
 
Join Date: Sep 2005
Posts: 9
Having the same problem

We have a bunch of customers using SecureCRT and need to move to using key based authentication, but I have spent many hours and can not get it to work from SecureCRT. I can get it to work with Putty and other SSH clients.

We are running Linux with OpenSSH. I create the key files on SecureCRT and download the .pub file and run the convert as suggested above, but when I try to login, I get an error saying that the server didn't recognize my public key.

Is there some way to use ssh-keygen on Linux and move the private file to my PC to be used by SecureCRT?

/Chris
Reply With Quote
  #12  
Old 09-27-2005, 08:18 AM
FuzzyFox's Avatar
FuzzyFox FuzzyFox is offline
Registered User
 
Join Date: Feb 2005
Location: Dallas, TX
Posts: 59
Send a message via ICQ to FuzzyFox Send a message via AIM to FuzzyFox Send a message via MSN to FuzzyFox Send a message via Yahoo to FuzzyFox
The most useful way to find out the nature of the problem is to read the logs on the server that you're trying to login to (which may not be possible since you can't login, so you may need an administrator to do this for you).

A common problem with public key authentication is that the permissions on the user's home directory, or the .ssh directory, or the authorized_keys file, are too permissive. The key might be correctly formatted, but the server will not trust it because of the possibility that some other user might be able to write to that file. Tightening up the permissions can help a lot, but sometimes you will have to have the admin do this for you, if you can't connect and do it yourself.

Permissions are very common, but not the only problem. The authorized_keys file is a simple text file, so you (or someone) should be able to examine it to see if it's written correctly.

For OpenSSH servers, each key is a (very very long) line of text. That means that if the text gets word-wrapped or broken up, the data might appear correct, but it is not; it needs to be one continuous line of text in order to be recognized properly by the server.

Here's an example of a key file:

Code:
ssh-dss AAAB3NzaC1kc3MAAADBAKVCAQLcbThcU37Xvokhr7w6DezYLUX/FrXLkUsOy4m2eldzCiPgO1wNFznpw2V8fVo11ZYLfs9vTrKHJcG/HWuPd76LMaPOsMK9mElm7TDQcQl91QFigLtSOWYIfISrv9Y/8ZB30sddD9sIMqr9TvgZkgWJwc5hMpg0OhufK6fGXYL8sATHAJFGCdq+qnNTpJc4OR8714ui3yu88V1YNOOrskZnWsHyrmukvUfWOukBt09WHDdHGwAAABUAsQEsvFFBMmSgC/eXfBRNP5V2jhkAAADAdnMcDRzJD4L016EXa9vZhdGN0aXhBXloDJRnugZ9veRMVZX6v6lr0/IV3zo1Heb2DgvLsRbnAQWosrYbh9OpGIMCGgi325NF74qqG999UsB2ILigzqladpzcRaNAikVRRkOL3gX6pmMeG2nG4M1cPG6V/cfy7BQNFUcB5/C/fjecDnvnd8DqYKeZqPNA6Fpp7g/YCX/lSlbapsKdl71TZkp1+zaEqEcA2+aWZoUKvHy6YLiYEETt2grds+wn56ARAAAAwFD2qUI7XAgdNyMp7oGREmVn+v856cgdCKY72m+N5f5lyb9d8CcZjtI6ZMW7IClDnURDjo+mo+iew95hGky5JfNh+APZy++iFncBa+KLmJwWTBmxerquVau4hq1gcA8Kf5NKw3ZdBvEtjVCFrqOfAHlLvCJ/qiroHrf6Mpzip+wQuVw+L6B+xRbLvbNyuGSzTc6apdEc7AlIGYeFXgrkEF4FRe9A27szlstj9M1nk8VmwDUQpy/oK7wyDvHU4WQDvQ== fox@shippo
ssh-dss AAAB3NzaC1kc3MZAAADBAJkLIAekI77R/MQSog6IeahOiHYGM9qkRbIh2WOftTTiiI2PZuJquLHsxRNBZ8MnuovoJWp5bHrGscEN54B9hHNQv2oPKdnedBGKUE+B37TqhwcwGfq5DIxuB1D8H44VXZ9rfPuC+W/m4coud2i4aKUa49j58/qSG8W1RdK0aZJcPCrWIWg/hGM3KnT33pEnpVAFsUP+z8TgmNeqGMDSw2XjBBWli0BvuFdCle1Prmz61QAAABUA0ULlj74xxqwg7Y2dftl7Gy9B5VEAAADAO8WtclHGBLphlHn7FUv8ZsTSBbzSThLevUgnpQBvJenTuGxfwCWzUZzrev9ixtrEMV2MMpm6+h7YIYk+lFK3bbgdj9qcMAoBP+7ptppmwrTgojw0pZp9QTlDjpG8kdeNgYe15G3OMR4Bv8fWSNqx1fkPebjlOdz8R2oPmfwdsXebogd0LA215dRmCGb2gjE3eXID97GSjvnOkdrXBrehWswKs9jCHAe2N1QFIJG7LYtYaudaYIsk4iFQ5R5rWb6rAAAAwCQxrtU9rH+6HSIBZvJAG+oBaxfhTzUYDIuyBpGqBZRTaF0Ki2AWTfbZuNN7YUvA49jL1065O36Tv+AMVnnlAVEOkFfqKf3hwLZRWuIChF7xY1d0cW3dW+cwLO760Vh89o/svicOKLdmqdoejSomCO6481eSvH/nrf0VLrmHUNbow4ZRhxnzj85sdxk5WR072KlBUZDHx4f9uCb5QnQbSPQtA6VTkpTniarEaYaN40kQmd8mk6t4sSinUfic0VbC1w== fox@laptop
Well, that's funny. Notice the long lines of text are broken up by spaces. They were NOT entered that way when I pasted them into this vBoard, but the board apparently can't handle the long lines, and breaks them up anyway. This is an example of how difficult it can be to keep these keys formatted correctly when someone is installing your key to a server.

It is unfortunate that VanDyke's public key assistant is not installed in more OpenSSH servers...
Reply With Quote
  #13  
Old 09-27-2005, 12:44 PM
Chris Nicotra Chris Nicotra is offline
Registered User
 
Join Date: Sep 2005
Posts: 9
From playing with this some more today:

There seems to be two different ways to generate keys in SecureCRT. One from the Global options and another from the Session options. When I generate a key from the Global options it gives me the option of selecting RSA or DSA, but from the session options it does not. On the session preferences in the Connection settings page, the Authentication option includes RSA, Password, and TIS, but not DSA or public key (mentioned in the help file).

When I generate the key using the global options, I get a string with hexidecimal values, but from the session option I always get nothing but numbers. When I use the key pair generated by the Global options, and I try to login, SecureCRT doesn't seem to know how to open the private key file generated by the Global option create identity button.

I'm running version 4.1.7.

Once I get this to work, I am going to need to roll it out to all of our SecureCRT users. Is there any way to generate the keys on the server using OpenSSH?

Thanks,
/Chris
Reply With Quote
  #14  
Old 09-27-2005, 08:12 PM
Chris Nicotra Chris Nicotra is offline
Registered User
 
Join Date: Sep 2005
Posts: 9
Public Keys Generated by SecureCRT

I downloaded the latest update hoping that might help, but it didn't.

If I generate keys off the Global options and try to use a global identity, SecureCRT can not seem to read the file on authentication. It says it is not a valid file format. If I generate the keys from the session form, the ssh-keygen program using any of the options mentioned on this board, I get:

buffer_get: trying to get more bytes 4 than in buffer 3.

/Chris
Reply With Quote
  #15  
Old 09-27-2005, 09:55 PM
FuzzyFox's Avatar
FuzzyFox FuzzyFox is offline
Registered User
 
Join Date: Feb 2005
Location: Dallas, TX
Posts: 59
Send a message via ICQ to FuzzyFox Send a message via AIM to FuzzyFox Send a message via MSN to FuzzyFox Send a message via Yahoo to FuzzyFox
Quote:
Originally Posted by Chris Nicotra
There seems to be two different ways to generate keys in SecureCRT. One from the Global options and another from the Session options. When I generate a key from the Global options it gives me the option of selecting RSA or DSA, but from the session options it does not. On the session preferences in the Connection settings page, the Authentication option includes RSA, Password, and TIS, but not DSA or public key (mentioned in the help file).
The RSA, TIS, and Password authentication options are SSH1 options only! You need to be sure you are selecting SSH2 for your connection type.

The public key format used by SSH protocol version 1 is completely different from that used by SSH version 2. That is why SecureCRT claims that your global key is not readable. It is an SSH2 public key, which the SSH1 protocol module cannot read.

Quote:
Once I get this to work, I am going to need to roll it out to all of our SecureCRT users. Is there any way to generate the keys on the server using OpenSSH?
You can use ssh-keygen to generate keys on the server, and they can be exported to a format that SecureCRT can read, using the -e option:
Code:
ssh-keygen -b 1024 -t dsa -f ~/.ssh/id_dsa
ssh-keygen -e -f ~/.ssh/id_dsa > ~/Identity.pub
Unfortunately, I can't find a way to convert an OpenSSH private key to a format that SecureCRT understands. There ought to be a way to do it, though...
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 05:28 AM.