If two servers are running different type of SSH, connecting
the two server can be a nightmare. To correct this you can to convert the keys.
But before that you need to know what SSH is running or supported on these
servers.
Secure Shell (SSH) enables remote login or remote command
execution between two hosts. SSH connection is cryptographically secure
communication channel. SSH ensures security by enabling authentication, data
integrity, encryption, authorization, and forwarding/tunneling.
SSH1 and SSH2
In fact, SSH1 and SSH2 are totally different protocols in
terms of design and do not have inter-compatibility in between them. In SSH1 is
a monolithic design where several all functions, such as authentication,
transport, connection are packed into a single protocol. While SSH2 has a
layered architecture for extensibility and flexibility. For enhanced security,
SSH2 has MAC-based integrity check, flexible session re-keying,
fully-negotiable cryptographic algorithms, public-key certificates, etc.
Sample SSH1 public key:
ssh-dss
AAAAB3NzaC1kc3MAAAEBAKueha6mfr5OUcscc88lmQUBBgYSZ08htHFaYzke2N5WG6ql1NgwQsyY2mMRxvvGckBeInx2GvRlz1+izDs5p4UGhkMzG8qOoT2y2vLwTFQyxi4IXET1e0E8VYC0dcLfs5Zg6RxEY7GA5FiydS6dceuPnLJgCYDfyb9Qbk4rVEvREODo8dV/KRlZxecEgaeKOO7ZnEzaIVPRCVbfasdfaseaRtZvxKfGnNFI957AfZ+Hqevz1IeQNDCp00EmaNli8Ow4rjOPlH7o818r35Ea8mMoV0hkirNQ25zf/Z1LvCS3649537YDi/SVmMMpGCvT93w/TRvk5RKlwVVy+H52C8/MKEAAAAVAOuDCV61LvfKz0bd8hYEJ/gGof9XAAABAQCFRhlpWtVOhTxcWcrnZ9EbbVRZO16St5TPjL86khb7b/VjScOAgt0tslHwtEEQzImv1xRkk6ZQ1o9pvAzb1fMZrZMGIy9zUXvL0v6LNXxCxN9YIjx14OXYfH8EIQDZJGRJoxHvEvUVjv3lHnTuxbdKrcbagvakxvgjq1wVyEueilO+g+WhJm+Q+XIYRl0TK9qtsAVFmzxBxT5USZFJ+1kbG7ippfFSGWRd3KPUCVQ8iGO3IMjtIlfcuGOArbKB06kMlxsdjNjhcEIHtR0jpaEeB2X+HrVScQEoXG4S8YkiIExlIvjhrVr571BTOuO9H5VHt4CtKUxeXxKZWslulYwAAABAHm3zlMsXxPL/HOq29qf7Lk90b7El+j19E2UkyssfSu6+/k4bFf6ax2n3yEn31S5bUdNvgqmlEjdERc4SkU65b5LW2ZI1v7kRoegG+bD2Q21N9Rv/lwS7CTprenKiMMRJ8TU7FMIVT3zEZkV+etC7cbaN+09GoiFTt+h7IDmo7onlo64oSMrcc+xt++ZUzENTVBgDoS9treternELkyJqZgb1/fdEPT6wRj132yBxWLqDGmbp9msmY1us+XNDY8isF80u9yTTXGTskOtCSaeavDDtPOKN5ZR20sHpIBgt6zd6mm/zKD6OZo14BLSJr7ldwSRzNNYMtkLnNyFSYxAIrm9Y==
Sample SSH2 public key:
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “1024-bit DSA, converted from OpenSSH by satyam@sing”
AAAAB3NzaC1kc3MAAACBAJ7QKkrLoasddfasfasdfVmKVedk1GAr/S+Cruq3/GtjRnxvJqbBbfnelWYUC+vbHc5a+7bgRsQfCgoCeGKH5wGD4CDWQMhy2XYomnGf1gUC86Hq77/Noqa02N441EFSTIEoNlU2aYi8zwVQKlgP6e22mG9sK7zSaGX639ctaigHuST8qPAAAAFQC2az8dfxHkkDZAEw+RcvRn3asdfsafdasAAIEAgYpPs6d+Kyw37ZaBarlMEaZoEfrxhUZ44SN+KoqBZYpSVwyHJ+/RB0zVUizXCmZ5RhYSsYZ5asdfasfasdfmBxogaEh5d7xxUpg/9Xctf94Jsf7vxccjZ4XYARrVikq/0L9fuKOmo4ET9iAf+GL7w2u5gzxxZr+xX5jw/A7907lOCwAAACAMoHHk0o1XkG+yeaPtuwbrHshGqTjpOUkJ/AYuQ8OBuVAOdqse1di9JpeHko26G0zoH3N+nDHMGdYYTNHzRNYRd2q20ztcAP52crZo1rtpNdvs6c+RTEIgoP3oYh1e1+rg70tWKIW3R/NYB39CESHoyqsAJ7vzOPm0iUOd36YECY=
—- END SSH2 PUBLIC KEY —-
Verifying what SSH is running/supported
Since they(SSH1 and SSH2) are not compatible it is required
to verify what SSH is running in to/from where we are trying to connect.
Option 1: /etc/ssh/sshd_config
If you check what SSH is running/supported on local machine
then check /etc/ssh/sshd_config to see if it has 'Protocol 2' or 'Protocol 1,2'
is present it. If /etc/ssh/sshd_config has 'Protocol 2' then only SSH2 is
supported and if 'Protocol 1,2' is present then SSH1 and SSH2 both are
supported.
Option 2: ssh <-v> user@remote_server
If you want to verify the SSH version supported on a remote
machine then you can run the following to see which one connects successfully.
ssh <-v> user@remote_server
e.g ssh -1 user@remote_server or ssh -2 user@remote_server
if incorrect version is used then the following error is
returned: 'Protocol major versions differ: 1 vs. 2'
Option 3: sshscan
If you want to scan entire network or a large group of
machines then sshscan can be used.
By default this utility may not be installed on your
machine. So you may need to install it before you can use it.
Option 4: ssh -V
ssh -V will give following output:
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
Once you know version are incorrect you can correct/convert the keys to be added in ~/.ssh/authorized_keys file using conversion methods as defined here.
No comments:
Post a Comment