Wednesday, March 28, 2012

SSH Debugging: Public and Private Keys



SSH Key Debugging: Public and Private Keys

Abstract:

There have been several articles published on forwarding ports with SSH over an encrypted tunnel and setting up automatic SSH Auto-Login using an encrypted ssh tunnel. This is the third in the series, discussing a particular problem when differing clients experience differing login symptoms while trying to log into a common server.

Solaris 10 Client Symptom:

If a Solaris 10 Client can not get a password prompt on a server, you might get the following error:

solaris10/user$ ssh badserver
no common kex alg: client
'diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1', server
'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g=='
Solaris 9 Client Symptom:

If a Solaris 9 Client can not get a password prompt on a server, you might get the following error:

solaris9/user$ ssh badserver
no kex alg

Solaris Server Root Cause:

If the Solaris 9 and Solaris 10 clients are trying to attach to the same server, check to see if your private and public ssh host keys are missing in your /etc/ssh directory:

badserver/root# ls -al /etc/ssh
-rwxr-xr-x 1 root sys 88301 Jan 21 2005 moduli
-rwxr-xr-x 1 root sys 861 Jan 21 2005 ssh_config
-rwxr-xr-x 1 root sys 5025 Aug 6 2010 sshd_config
The /etc/ssh directory should look more like the following:

goodserver/root# ls -al /etc/ssh
-rw-r--r-- 1 root sys 88301 Jan 21 2005 moduli
-rw-r--r-- 1 root sys 861 Jan 21 2005 ssh_config
-rw------- 1 root root 668 Apr 10 2009 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 Apr 10 2009 ssh_host_dsa_key.pub
-rw------- 1 root root 887 Apr 10 2009 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 Apr 10 2009 ssh_host_rsa_key.pub
-rw-r--r-- 1 root sys 5372 Feb 12 21:49 sshd_config
-rw-r--r-- 1 root sys 5106 Dec 15 12:30 sshd_config.orig
Creating Server Keys:

Log into the server, refusing connections with errors and missing the ssh host keys, and create the keys.

badserver/root# cd /etc/ssh
badserver/root# /lib/svc/method/sshd -c
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair

badserver/root# ls -al ssh_host*key*
-rw------- 1 root root 668 Mar 28 22:26 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 Mar 28 22:26 ssh_host_dsa_key.pub
-rw------- 1 root root 887 Mar 28 22:26 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 Mar 28 22:26 ssh_host_rsa_key.pub
Restarting SSH Service:

Once the SSH server public and private keys have been created, the ssh service needs to be restarted, in order to leverage the new private keys.

badserver/root# /usr/bin/svcs ssh
STATE STIME FMRI
online May_21 svc:/network/ssh:default
badserver/root# /usr/sbin/svcadm restart ssh
Validating Repair:

The final step in any repair is validation. In this case, the ssh is attempted.

solaris10/user$ ssh badserver
Last login: Wed Mar 28 22:48:57 2012 from solaris10
Oracle Corporation SunOS
5.10 Generic Patch January 2005
INTR=Ctrl-C ERASE=Ctrl-H KILL=Ctrl-U
badserver/user$

1 comment:

  1. Add this to the sshd_config of the destination server

    KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

    This adds some extra key exchange algorithms the older clients are using. Namely...
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group1-sha1

    From http://stackoverflow.com/questions/26577494/
    And http://stackoverflow.com/questions/26424621/

    ReplyDelete