On Sun, Dec 30, 2001 at 06:00:29PM -0500, Shing-Fat (Fred) Ma <[EMAIL PROTECTED]>
wrote:
| I am mostly following http://www.uk.research.att.com/vnc/sshwin.html .
| Since I'm running cygwin on WinME, I'm using their built-in ssh. Its
| man page includes both protocol 1 and protocol 2. I'm accessing a
| Solaris8 box whose ssh man page seems to only have protocol 1 stuff, so
| I assume that is what is being used. In particular, the message I'm
| going to ask relates to RSA, which seems to fall under protocol 1.
Protocol 2 uses both RSA and DSA keys.
When making a personal keypair you want to say:
ssh-keygen -t rsa1
to make a pair for use with a protocol 1 server and:
ssh-keygen -t rsa
or
ssh-keygen -t dsa
to make a pair for use with a protocol 2 server.
Since I have to deal with both I have an rsa1 key pair and a dsa key pair.
| Here's is what happens when I follow the above web instructions.
| From the cygwin bash prompt, I tried both
|
| ssh -L 5954:MachineName.doe.carleton.ca:5904 MachineName.doe.carleton.ca
| ssh -L 5954:MachineName.doe.carleton.ca:5904 [EMAIL PROTECTED]
|
| The response is
|
| The authenticity of host 'MachineName.doe.carleton.ca (<some IP number:>)'
|can't be established.
| RSA key fingerprint is <long series of 2-digit hex numbers separated by ":">
| Are you sure you want to continue connecting (yes/no)?
|
| As per the web instructions, I checked the file /etc/ssh_host_key.pub which I ftp'd
|from
| MachineName.doe.carleton.ca. They do not appear the same. In fact, the file I ftp'd
| has only one line with 3 numbers followed by "root@MachineName". The 3rd number
| is almost 320 digits long and appears entirely decimal.
This is an unfortunate implementation flaw in ssh2 and openssh (which you are
using: they recite keys in hex only. You can convert one to the other with the
"dc" command, which does arbitrary precision arithmetic:
- copy the hex key into your cut/paste buffer
- fire up dc at you shell prompt
% dc
- dc has no prompt - don't worry
- type this:
16 i
this sets dc's input radix to 16 (to read hex values);
its output radix is already 10 (decimal - the default)
- paste in your hex value and press return
- type this:
p
which should print the decimal version of that value
- compare with your target host's public key
| Also, I am not "root".
The "root@MachineName" is just a comment stuck on the server's host key
when it is made. So that's actually expected, and ok.
| So I
| answer "no" to continuing.
Perform the comparison above. If they match you can and should say "yes".
| At this point, I departed from the instructions. According to the ssh man pages for
| RSA authentication, I run ssh-keygen from the WinME viewer side, which I do from
| the cygwin bash prompt. I am given a RSA key fingerprint similar to that in the
|response
| above but with different digits, which I record. I then ftp'd the created file
|"identity.pub" to
| MachineName as "~fma/.ssh/authorized_keys" and run both of the above ssh commands.
Ok. You've done two things wrong here (sort of).
Ssh-keygen is giving you an rsa key for protocol two. It is of no use on
your target server because it speaks protocol 1. You can tell the two
formats apart by eye because the protocol two keys are base64 encoded
and the protocol 1 keys are decimal.
Also, you can't put protocol 2 public keys into the authorized_key file.
You use the authorized_keys2 file (note trailing "2" on the filename).
Same idea though.
However, since you have an ssh1 server, you will be using plain
"authorized_keys" so it remains merely to make a protocol 1 key pair.
Say this:
ssh-keygen -t rsa1
and proceed as before.
| However, the returned RSA key fingerprint is the same as before i.e. differs from
|the one
| shown to me by ssh-keygen . Of course, I respond with "no" to that.
The RSA key fingerprint is the server host key - it will always differ
from your personal key pair.
Your personal keypair is to assure the server that it's _you_ logging in.
The host key pair is to assure you that you're actually connecting to
the server you expect.
Does this make things any clearer?
--
Cameron Simpson, DoD#743 [EMAIL PROTECTED] http://www.zip.com.au/~cs/
Network Planning Constraint Of The Month:
You can't send bits over a non-existant link.
- Valdis Kletnieks <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, mail [EMAIL PROTECTED] with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
