Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ssh compatability issues

25 views
Skip to first unread message

Dr. David Kirkby

unread,
Jan 27, 2003, 11:46:45 PM1/27/03
to
Hi,
I seem to be experiencing some compatability issues between the
OpenSSH supplied as part of Solaris 9 and the ssh supplied by
www.ssh.com. I wonder if anyone can suggest how to get around them,
without keeping two versions of ssh around on my home computer.

I have two systems I wish to connect.

1) A home computer, running the OpenSSH server that comes with Solaris
9.

This computer also has an older SSH Secure Shell 2.2.0 from
www.ssh.com (non commercial version).

2) A computer at the university that runs the SSH Secure Shell 2.2.0
from www.ssh.com.

I have several problems
a) I can only connect to the University's computer without passwords
if I use ssh from www.ssh.com - the same as the university uses.

b) I can only ssh to the localhost on my own home computer, which uses
the Solaris 9/OpenSSH server if I use the ssh that is part of that.
Trying to use the old ssh clients from www.ssh.com fails.

c) Neither the ssh program that comes as part of Solaris, or that from
www.ssh.com, will allow root to ssh to the localhost.

The SSH Secure Shell 2.2.0 from www.ssh.com by default uses dsa keys.
I tried generating dsa keys with the OpenSSH version of ssh-keygen,
but they still look rather different in format. For example, here is a
public key generated by

---- BEGIN SSH2 PUBLIC KEY ----
Subject: davek
Comment: "1024-bit dsa, davek@wren, Sat Apr 06 2002 11:50:28"
AAAAB3NzaC1kc3MAAACBAMtWUERvWfKhSR7OkZuttk5D9rvpbTDhBgQGojtLAKsR3BvHhX
XfS7UTjARfnmQQWxlx/TFAGbS5owxvDTGGJgaJmtBR5cP+i0Dv3uQn8H53wqRM88w2BA4F
+NDJJdlC++fpR8JA1ugnBOa2/yJ8XIF618mLlivUQPjTsQWxL8yjAAAAFQCcJXSmhvBQCq
pVyLZvsyBVGtGJgwAAAIEAvwBw33hzwFef+4b+GVVE4UHy2dOaAU34aVPfvAfeWMAnOUsz
hR7YnuHbIDeNhYBu9Nb0OVmp7LIYt9J90pEK2r0rAL9LKmKGbXHCLDYX7GhrvsJGDES7Qq
0/OJ0iv5/eUhNL+rQ7aWRBwjtH91L58H2fFcbN5nfIT+9ON+ew4LkAAACBALmrj0SXUBps
Xf8Ec6G1/Jej6VRG29WRKLG1u+DaYRdlbN45wvhufUwTaUtYq5VVaxVW/h7PPLftMkxZg1
CKBU99CZUV3yZpFj8+NNaQ1PYSQeDchVAyJ/pGeqoKp/QB3qf/es3/Bo2wqMZ3YA5TaAoz
pXGPoT2rwlLqYYfqhdMp
---- END SSH2 PUBLIC KEY ----

and here is one generated using OpenSSH's ssh-keygen.

sh-dss
AAAAB3NzaC1kc3MAAACBAI4R1oqfnBU3PMCucpnaYT5q+xvNCHx99uYsf5jU9kTTCbEIPAHE
1Z1lcMX9qtEeJWZsa9BC8IRXOYUtj3LaEGRdf6OtW7vfL/9XgkavFdE8g2EIALJPO6CdyrsiYtUFF12m
f7K2nZZ33olqr84mjUUgLzR5AmuZQPhmCi3E/DrZAAAAFQCmgNfAJLfSdMqjWfHnV7hkOu38rQAAAIEA
jgIOwV3VVR/ljpy4/cutjsC7KbNdfswXFQNbvQ7Wr063tTgKBHm+HUisRcdD4m8FL72lUQoMSOFfogc6
8uJmW7m01xTwyKoy5flInd7tdQpEeKgbeLNj70bYTf0olhzXGE5MVdRZgOXKzXYOsCQEu8SobCPVYmlO
f30L+BX8VPYAAACAcoZQS1kIAzE7W4idfrryhi8ux0+qsLBYYRt1ju+x+Y1CfJOr458Zg1uuCz2N3/6A
2oHy9K5WDbenW5y+5cdxSmN0/DWS4nfzrLcxvArOpAzAOqOoVETOIJDSabmnxicKkzKNkrDJq0QM7Dl9
tHigtL6jngq41TPWONiGlf8Ed/c= davek@sparrow


Any comments?? Suggestions? One option I have is to use the ssh server
at home from www.ssh.com, but I'd rather use open tools if possible.
The version from www.ssh.com I have is rather old and perhaps udating
it will bring me more problems!
--
Dr. David Kirkby,
Senior Research Fellow,
Department of Medical Physics,
University College London,
11-20 Capper St, London, WC1E 6JA.
Tel: 020 7679 6408 Fax: 020 7679 6269
Internal telephone: ext 46408
e-mail da...@medphys.ucl.ac.uk

Nico Kadel-Garcia

unread,
Jan 28, 2003, 12:14:58 AM1/28/03
to

"Dr. David Kirkby" <drki...@ntlworld.com> wrote in message
news:3E360B35...@ntlworld.com...

> Hi,
> I seem to be experiencing some compatability issues between the
> OpenSSH supplied as part of Solaris 9 and the ssh supplied by
> www.ssh.com. I wonder if anyone can suggest how to get around them,
> without keeping two versions of ssh around on my home computer.
>
> I have two systems I wish to connect.
>
> 1) A home computer, running the OpenSSH server that comes with Solaris
> 9.
>
> This computer also has an older SSH Secure Shell 2.2.0 from
> www.ssh.com (non commercial version).

*UPDATE THIS RIGHT NOW*. There are some old security problems with that.

> 2) A computer at the university that runs the SSH Secure Shell 2.2.0
> from www.ssh.com.

*UPDATE THIS RIGHT NOW*. Again, old security problems.


> I have several problems
> a) I can only connect to the University's computer without passwords
> if I use ssh from www.ssh.com - the same as the university uses.
>
> b) I can only ssh to the localhost on my own home computer, which uses
> the Solaris 9/OpenSSH server if I use the ssh that is part of that.
> Trying to use the old ssh clients from www.ssh.com fails.

Again, you need some updates. There have been subtle changes in both
releases. And read the manual pages on all of these systems on sshd and its
options which may be set to restrict things in ways that you are seeing
here.

> c) Neither the ssh program that comes as part of Solaris, or that from
> www.ssh.com, will allow root to ssh to the localhost.

No surprise, that's in sshd_config and is probably disabled.

> Any comments?? Suggestions? One option I have is to use the ssh server
> at home from www.ssh.com, but I'd rather use open tools if possible.
> The version from www.ssh.com I have is rather old and perhaps udating
> it will bring me more problems!

Update. It's pretty easy to do, and will make your life considerably.
Updating to OpenSSH will also, I think, be more secure and mean you only
have to have one daemon installed, not one for SSH1 and another for SSH2
that summons the SSH1 daemon as needed....


Richard E. Silverman

unread,
Jan 28, 2003, 8:49:40 AM1/28/03
to

Use ssh-keygen -e to convert your OpenSSH public key to ssh.com format,
then read the ssh2 man page about the $HOME/.ssh2/authorization file, to
see how to authorize that key on the server.

--
Richard Silverman
sl...@shore.net

ftbee

unread,
Jan 28, 2003, 9:24:01 AM1/28/03
to
1. Despite all the problems you experience now you should firstly update
both sshs to the lastest version, just as Nico has pointed out. You
should also urge other parties (your university) to update. I simply
don't see a reason not to do so, especially when the version has
security problems.

2. For the lastest versions, as I know the only compatibily problem
which is difficult to solve is the "ssh-agent forwarding", as Neil
pointed to me that SSH2 uses proprietary protocol.

3. The compatability of key formats can be solved by using ssh-keygen's
"-ef" or "-if" in OpenSSH to export OpenSSH's keys and import SSH2's keys.

Good Luck.

Dr. David Kirkby

unread,
Jan 28, 2003, 11:10:17 AM1/28/03
to
Nico Kadel-Garcia wrote:
>
> "Dr. David Kirkby" <drki...@ntlworld.com> wrote in message
> news:3E360B35...@ntlworld.com...
> > Hi,
> > I seem to be experiencing some compatability issues between the
> > OpenSSH supplied as part of Solaris 9 and the ssh supplied by
> > www.ssh.com. I wonder if anyone can suggest how to get around them,
> > without keeping two versions of ssh around on my home computer.
> >
> > I have two systems I wish to connect.
> >
> > 1) A home computer, running the OpenSSH server that comes with Solaris
> > 9.
> >
> > This computer also has an older SSH Secure Shell 2.2.0 from
> > www.ssh.com (non commercial version).
>
> *UPDATE THIS RIGHT NOW*. There are some old security problems with that.

By 'some old security problems with that' I was not sure if you meant
with the OpenSSH for Solaris or the SSH Secure Shell 2.2.0 from
www.ssh.com. However, either way I can easily update, as it's my own
computer for which I have root access.

If at all possible, I'd rather just use the OpenSSH that came with
Solaris (if necessary with security updates). I'm not aware of any
security patches from Sun related to their OpenSSH implementation.

Since I don't use it for commercial use, I can easily update the
non-commercial release from www.ssh.com. However, I'm a bit reluctant to
update this, since at least both the University and I have the same
version. We currently have two different versions, I don't want to make
the problem worst by having 3 versions on two machines!



> > 2) A computer at the university that runs the SSH Secure Shell 2.2.0
> > from www.ssh.com.
>
> *UPDATE THIS RIGHT NOW*. Again, old security problems.

I don't have root privileges on those machines and somehow don't think
I'll get it changed. Hence I'd rather configure the home machine to fit
in with those at the university.


> > I have several problems
> > a) I can only connect to the University's computer without passwords
> > if I use ssh from www.ssh.com - the same as the university uses.
> >
> > b) I can only ssh to the localhost on my own home computer, which uses
> > the Solaris 9/OpenSSH server if I use the ssh that is part of that.
> > Trying to use the old ssh clients from www.ssh.com fails.
>
> Again, you need some updates. There have been subtle changes in both
> releases. And read the manual pages on all of these systems on sshd and its
> options which may be set to restrict things in ways that you are seeing
> here.
> > c) Neither the ssh program that comes as part of Solaris, or that from
> > www.ssh.com, will allow root to ssh to the localhost.
>
> No surprise, that's in sshd_config and is probably disabled.

Thanks, that is useful to know. I wish it would be more helpful with a
message such as 'ssh access to localhost is disabled - see sshd_config'
rather than to repeatedly ask for the root password.

> > Any comments?? Suggestions? One option I have is to use the ssh server
> > at home from www.ssh.com, but I'd rather use open tools if possible.
> > The version from www.ssh.com I have is rather old and perhaps udating
> > it will bring me more problems!
>
> Update. It's pretty easy to do, and will make your life considerably.
> Updating to OpenSSH will also, I think, be more secure and mean you only
> have to have one daemon installed, not one for SSH1 and another for SSH2
> that summons the SSH1 daemon as needed....

Updating OpenSSH at home is easy. I'm already using OpenSSH for incoming
connections, but I can't update the distant machine.

--
PLEASE NOTE:

If this message was sent to a newsgroup or mailing list, please
reply to there. Personal e-mail is always welcome, but unless
I have received e-mail from you previously, you may be sent
an automatically generated reply, requesting that you send the
message again, adding a password in the subject line. Sorry,
but this action has been taken to prevent unsolicited
commercial emails (spam mail).

Dr. David Kirkby PhD,


Senior Research Fellow,
Department of Medical Physics,
University College London,
11-20 Capper St, London, WC1E 6JA.
Tel: 020 7679 6408 Fax: 020 7679 6269
Internal telephone: ext 46408
e-mail da...@medphys.ucl.ac.uk

Web page: http://www.medphys.ucl.ac.uk/~davek

Scott Howard

unread,
Jan 31, 2003, 6:52:47 AM1/31/03
to
In comp.sys.sun.admin Dr. David Kirkby <drki...@ntlworld.com> wrote:
> 1) A home computer, running the OpenSSH server that comes with Solaris
> 9.

What comes with Solaris 9 is NOT OpenSSH, it's Sun SSH, which although
based on OpenSSH is not the same thing.

> This computer also has an older SSH Secure Shell 2.2.0 from
> www.ssh.com (non commercial version).

Dump this. Upgrade to either SunSSH (if you're running Solaris 9) or
OpenSSH and all your problems with magically go away :)

Scott

0 new messages