[CentOS] Re: 2 SSH questions

Wed Jan 11 02:10:08 UTC 2006

Robert Moskowitz wrote:
> 
> 
> Now I really believe I have something configured wrong....
> 
> On my Astaro firewall, I had to create everything manually.  As it does 
> not have a Unix adduser or secure file upload.
> 
> So I followed my working 'instructions'.
> 
> I used:
> 
> /usr/bin/ssh-keygen -X -f ~/.ssh/identity.pub >> ~/.ssh/authorized_keys2
> 
> and that worked fine on astaro, but not here.  So I changed ..._keys2 to 
> ..._keys and no help.
> 
> Oh, identity.pub was created with:
> 
> cat > ~/.ssh/identity.pub
> <copy clipboard that has public key in it>
> CNTL+D
> 
> Of course I don't know what the -X option does.  My debian friend gave 
> me that command structure...
> 

The stuff from ssh.com (which I assume includes Tectia) used a different format for the key files.  If you generated the keypair 
with Tectia (or commercial SSH) instead of OpenSSH, you'll need to convert the public key to the OpenSSH format.  If you cat out an 
OpenSSH public keyfile, you should see a single line that starts with 'ssh-dsa' or 'ssh-rsa' (depending on the key type) followed by 
a long string of what appears to be MD5-encoded information.

A SSH2 (or Tectia?) public key is a multi-line file containing the literal strings "---- BEGIN SSH2 PUBLIC KEY ----" and "---- END 
SSH2 PUBLIC KEY ----", with the actual key information in-between.

I think the -X option on ssh-keygen from SSH2/Tectia converts OpenSSH format keys to the SSH2 format.  Looks like a "right church, 
wrong pew" sort of issue.

If you generated your keypair with Tectia, copy the .pub file over to your Linux box and use ssh-keygen to convert it.  If your 
public key was named "foo.pub", here's what you'd use to append it to your authorized_keys file:

     ssh-keygen -i -f foo.pub >> ~/.ssh/authorized_keys

Make sure the permissions on the .ssh directory and it's contents are appropriate.  Make sure the whole tree is owned by the 
appropriate user, too!  I usually set the .ssh directory perms to 700 and the files in it to 600, but I'm a bit paranoid.

ssh-keygen provided with the commercial version of SSH will convert the OpenSSH format to their format, too, so it's relatively easy 
to go either way.  Check the Tectia manpages... oops, never mind: Windows!  There's gotta be some docs for it SOMEWHERE.

Converting the private half of the keypair is a little tougher, as a password-protected SSH2 key can't be read by either version of 
SSH's ssh-keygen.  You'll have to remove the password protection from the private key in order to let the other SSH's version of 
ssh-keygen convert it.

Hope that helps!
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5322 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20060110/20a2bb5b/attachment.bin>