public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1 - SSH

This is a discussion on public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1 - SSH ; I'm having some problems trying to get a Solaris 10 box running: Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f to accept a public key from a Debian box running: OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 (incidentally I use the same ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

  1. public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

    I'm having some problems trying to get a Solaris 10 box running:
    Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
    to accept a public key from a Debian box running:
    OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004

    (incidentally I use the same method to connect this Debian server
    to several others running Linux/FreeBSD/Solaris 8 & 9 without problems)

    Generated a DSA key on the debian client using 'ssh-keygen -t dsa -N ""',
    copied the generated id_dsa.pub to .ssh/authorized_keys on the Solaris
    server.

    From this list, permissions on the server keys seem to be a common cause
    of failures, but these are ok:

    (On the server
    ls -al .ssh/
    drwx------ 2 test other 512 Jul 31 15:21 .
    drwxr-xr-x 4 test other 512 Jul 31 14:37 ..
    -rw------- 1 test other 606 Jul 31 15:21 authorized_keys
    -rw-r--r-- 1 test other 219 Jul 26 12:24 known_hosts

    From the debug log below, my uneducated guess at the cause is the server
    doing:

    debug2: Starting PAM service sshd-pubkey for method publickey
    debug3: Trying to reverse map address 192.168.2.67.
    debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
    Failed publickey for test from 192.168.2.67 port 42619 ssh2

    so I've tried to force disabled dns lookups on the Solaris server with
    'VerifyReverseMapping no' (the equivalent of 'UseDNS no' I think) but
    it doesn't help. I explicitly set some other options, although they
    default to the same:

    DSAAuthentication yes
    PubkeyAuthentication yes
    GSSAPIAuthentication no


    I've also tried an RSA key generated on the Debian box, generating
    the keys on the Solaris server and copying the private key back to the
    client instead, and trying from a linux box running OpenSSH 4.2p1
    but all fail (so I presume I'm missing something more
    fundamental)

    Can anyone point out what I've missed? Debug below, excuse the spam:

    debian client:

    ssh 192.168.2.76 -p 1234 -v
    OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Connecting to 192.168.2.76 [192.168.2.76] port 1234.
    debug1: Connection established.
    debug1: identity file /home/test/.ssh/identity type -1
    debug1: identity file /home/test/.ssh/id_rsa type -1
    debug1: identity file /home/test/.ssh/id_dsa type 2
    debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1
    debug1: no match: Sun_SSH_1.1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '192.168.2.76' is known and matches the RSA host key.
    debug1: Found key in /home/test/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interact
    ive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/test/.ssh/identity
    debug1: Trying private key: /home/test/.ssh/id_rsa
    debug1: Offering public key: /home/test/.ssh/id_dsa
    debug1: Server accepts key: pkalg ssh-dss blen 434
    debug1: read PEM private key done: type DSA
    debug1: Authentications that can continue: publickey,password,keyboard-interact
    ive
    debug1: Next authentication method: keyboard-interactive
    Password:

    solaris server:

    /usr/lib/ssh/sshd -f ./sshd_config -p 1234 -ddd
    debug1: sshd version Sun_SSH_1.1
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    debug1: read PEM private key done: type RSA
    debug1: private host key: #0 type 1 RSA
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    debug1: read PEM private key done: type DSA
    debug1: private host key: #1 type 2 DSA
    debug1: Bind to port 1234 on ::.
    Server listening on :: port 1234.
    debug1: Server will not fork when running in debugging mode.
    Connection from 192.168.2.67 port 42619
    debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 De
    bian-8.sarge.4
    debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH_3.6*,OpenSSH_3.7*,O
    penSSH_3.8*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-Sun_SSH_1.1
    debug1: list_hostkey_types: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gr
    oup1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
    debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fi-FI,fr,f
    r-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru,ru-RU,sv
    ,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,de-AT,de-
    CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,e
    s-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA,fr-CH,he
    ,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-NY,nr,pt,
    pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug2: kex_parse_kexinit: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fi-FI,fr,f
    r-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru,ru-RU,sv
    ,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,de-AT,de-
    CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,e
    s-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA,fr-CH,he
    ,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-NY,nr,pt,
    pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug1: Failed to acquire GSS-API credentials for any mechanisms (No credential
    s were supplied, or the credentials were unavailable or inaccessible
    Unknown code 0
    )
    debug1: SSH2_MSG_KEXINIT sent
    debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gr
    oup1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
    debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fi-FI,fr,f
    r-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru,ru-RU,sv
    ,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,de-AT,de-
    CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,e
    s-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA,fr-CH,he
    ,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-NY,nr,pt,
    pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug2: kex_parse_kexinit: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,fi-FI,fr,f
    r-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru,ru-RU,sv
    ,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,de-AT,de-
    CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,e
    s-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA,fr-CH,he
    ,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-NY,nr,pt,
    pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gr
    oup1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour
    ,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256
    -ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour
    ,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256
    -ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@ope
    nssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@ope
    nssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: Peer sent proposed langtags, ctos:
    debug1: Peer sent proposed langtags, stoc:
    debug1: We proposed langtags, ctos: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,f
    i-FI,fr,fr-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru
    ,ru-RU,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,
    de-AT,de-CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-C
    R,es-EC,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA
    ,fr-CH,he,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-
    NY,nr,pt,pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug1: We proposed langtags, stoc: ar-EG,ar-SA,cs-CZ,de,de-DE,en-US,es,es-ES,f
    i-FI,fr,fr-BE,fr-FR,he-IL,hi-IN,hu-HU,it,it-IT,ja-JP,ko,ko-KR,pl,pl-PL,pt-BR,ru
    ,ru-RU,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK,zh-TW,ar,bg-BG,ca,ca-ES,cz,da,da-DK,
    de-AT,de-CH,el,el-GR,en-AU,en-CA,en-GB,en-IE,en-NZ,es-AR,es-BO,es-CL,es-CO,es-C
    R,es-EC,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et,et-EE,fi,fr-CA
    ,fr-CH,he,hr-HR,hu,is-IS,ja,lt,lt-LT,lv,lv-LV,mk-MK,nl,nl-BE,nl-NL,no,no-NO,no-
    NY,nr,pt,pt-PT,ro-RO,sh-BA,sk-SK,sl-SI,sq-AL,sr-SP,sr-YU,th,tr,i-default
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
    debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
    debug1: dh_gen_key: priv key bits set: 139/256
    debug1: bits set: 477/1024
    debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
    debug1: bits set: 530/1024
    debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
    debug2: kex_derive_keys
    debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
    debug1: newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: KEX done
    debug1: userauth-request for user test service ssh-connection method none
    debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
    debug2: input_userauth_request: setting up authctxt for test
    debug2: input_userauth_request: try method none
    Failed none for test from 192.168.2.67 port 42619 ssh2
    debug1: userauth-request for user test service ssh-connection method publickey
    debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
    debug2: input_userauth_request: try method publickey
    debug1: test whether pkalg/pkblob are acceptable
    debug1: temporarily_use_uid: 100/1 (e=0/0)
    debug1: trying public key file /export/home/test/.ssh/authorized_keys
    debug3: secure_filename: checking '/export/home/test/.ssh'
    debug3: secure_filename: checking '/export/home/test'
    debug3: secure_filename: terminating check at '/export/home/test'
    debug1: matching key found: file /export/home/test/.ssh/authorized_keys, line 1
    Found matching DSA key: f6:59:80:3c:9d:70:dc:16:64:52:e1:aa:c1:67:1d:b1
    debug1: restore_uid: 0/0
    debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
    debug1: userauth-request for user test service ssh-connection method publickey
    debug1: attempt 2 initial attempt 0 failures 1 initial failures 0
    debug2: input_userauth_request: try method publickey
    debug1: temporarily_use_uid: 100/1 (e=0/0)
    debug1: trying public key file /export/home/test/.ssh/authorized_keys
    debug3: secure_filename: checking '/export/home/test/.ssh'
    debug3: secure_filename: checking '/export/home/test'
    debug3: secure_filename: terminating check at '/export/home/test'
    debug1: matching key found: file /export/home/test/.ssh/authorized_keys, line 1
    Found matching DSA key: f6:59:80:3c:9d:70:dc:16:64:52:e1:aa:c1:67:1d:b1
    debug1: restore_uid: 0/0
    debug1: ssh_dss_verify: signature correct
    debug2: Starting PAM service sshd-pubkey for method publickey
    debug3: Trying to reverse map address 192.168.2.67.
    debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
    Failed publickey for test from 192.168.2.67 port 42619 ssh2
    debug1: userauth-request for user test service ssh-connection method keyboard-i
    nteractive
    debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
    debug2: input_userauth_request: try method keyboard-interactive
    debug1: keyboard-interactive devs
    debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
    debug2: Calling pam_authenticate()
    debug2: PAM echo off prompt: Password:



  2. Re: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1


    > From this list, permissions on the server keys seem to be a common cause
    > of failures, but these are ok:
    >
    > (On the server
    > ls -al .ssh/
    > drwx------ 2 test other 512 Jul 31 15:21 .
    > drwxr-xr-x 4 test other 512 Jul 31 14:37 ..
    > -rw------- 1 test other 606 Jul 31 15:21 authorized_keys
    > -rw-r--r-- 1 test other 219 Jul 26 12:24 known_hosts
    >


    Home directory as well?

    The server debug log gives more information about publickey authentication.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

    On 2006-07-31, Dan wrote:
    > I'm having some problems trying to get a Solaris 10 box running:
    > Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
    > to accept a public key from a Debian box running:
    > OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004

    [...]
    > solaris server:

    [...]
    > debug1: matching key found: file /export/home/test/.ssh/authorized_keys, line 1
    > Found matching DSA key: f6:59:80:3c:9d:70:dc:16:64:52:e1:aa:c1:67:1d:b1
    > debug1: restore_uid: 0/0
    > debug1: ssh_dss_verify: signature correct
    > debug2: Starting PAM service sshd-pubkey for method publickey
    > debug3: Trying to reverse map address 192.168.2.67.
    > debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
    > Failed publickey for test from 192.168.2.67 port 42619 ssh2


    This looks like the public-key authentication was successful but I would
    guess that the PAM account check failed (take a look at wherever PAM
    sends its messages). SunSSH uses a separate PAM config for each SSH
    authentication type (in this case, "sshd-pubkey"), so you may want to
    check the PAM config for that.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  4. Re: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

    On Mon, 31 Jul 2006 21:32:58 +0000, Darren Tucker wrote:

    > On 2006-07-31, Dan wrote:
    >> [quoted text muted]

    > [...]
    >> [quoted text muted]

    > [...]
    >> [quoted text muted]

    >
    > This looks like the public-key authentication was successful but I would
    > guess that the PAM account check failed (take a look at wherever PAM
    > sends its messages). SunSSH uses a separate PAM config for each SSH
    > authentication type (in this case, "sshd-pubkey"), so you may want to
    > check the PAM config for that.


    I did wonder about the PAM config (not something I'm familiar with at all)
    Do you know if Sun_SSH_1.1 should have some explicit PAM config
    for ssh? I compared a solaris10 pam.conf with a solaris8 and neither have
    explicit entries for ssh, although public key authentication works fine on
    the sol8 box. I can't find any PAM or general authentication errors in
    /var/adm/, /var/log/ etc.

    Any idea what the sshd-pubkey PAM entry would look like? if I knew which
    module to point it at, I think I could enable debug

    oh, Richard - homedir has correct ownership/perms (755)

    --
    Dan

  5. Re: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

    On 2006-08-01, Dan wrote:
    > I did wonder about the PAM config (not something I'm familiar with at all)
    > Do you know if Sun_SSH_1.1 should have some explicit PAM config
    > for ssh? I compared a solaris10 pam.conf with a solaris8 and neither have
    > explicit entries for ssh, although public key authentication works fine on
    > the sol8 box.


    If it doesn't have an explicit entry from sshd-pubkey then it will default
    to using the "other" service.

    > I can't find any PAM or general authentication errors in
    > /var/adm/, /var/log/ etc.
    >
    > Any idea what the sshd-pubkey PAM entry would look like? if I knew which
    > module to point it at, I think I could enable debug


    I don't have Solaris 10 but assuming the pam.conf in the OpenSolaris cvs
    tree is the same, then all you'd need to do is copy all of the "other"
    lines and replace "other" with "sshd-pubkey".

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  6. Re: public key problems OpenSSH3.8.1p1 to Sun_SSH_1.1

    Hi,

    Do both your accounts have password ? Setting the password solved
    the problem for me.

    Good luck
    Golo
    Darren Tucker wrote:
    > On 2006-08-01, Dan wrote:
    > > I did wonder about the PAM config (not something I'm familiar with at all)
    > > Do you know if Sun_SSH_1.1 should have some explicit PAM config
    > > for ssh? I compared a solaris10 pam.conf with a solaris8 and neither have
    > > explicit entries for ssh, although public key authentication works fine on
    > > the sol8 box.

    >
    > If it doesn't have an explicit entry from sshd-pubkey then it will default
    > to using the "other" service.
    >
    > > I can't find any PAM or general authentication errors in
    > > /var/adm/, /var/log/ etc.
    > >
    > > Any idea what the sshd-pubkey PAM entry would look like? if I knew which
    > > module to point it at, I think I could enable debug

    >
    > I don't have Solaris 10 but assuming the pam.conf in the OpenSolaris cvs
    > tree is the same, then all you'd need to do is copy all of the "other"
    > lines and replace "other" with "sshd-pubkey".
    >
    > --
    > Darren Tucker (dtucker at zip.com.au)
    > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    > Good judgement comes with experience. Unfortunately, the experience
    > usually comes from bad judgement.



+ Reply to Thread