Hello, Just installed SuSE 8.0 and cannot get ssh to work. I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3 system where it all works fine. This includes my ~/.ssh directory and the /etc/ssh directory -- all copied from the 7.3 system to the new 8.0 system. Here is what I get (from the new SuSE 8.0 system to another, unrelated, SuSE system): ssh thinkpad Permission denied (publickey). I get the same problem if I delete the .ssh directory. I must be connecting to the other system because if I try to ssh to a system that is not running sshd I get a different error: ssh windowsbox ssh: connect to address 192.168.0.3 port 22: Connection refused -- Robert C. Paulsen, Jr. robert@paulsenonline.net
Now that my desktop stays put I have a couple of other questions. 1. If I print a multipage ascii document to my HP IIP the second and subsequent pages have the text just about 1/16" too close to the upper edge of the printable area and get chopped. I have found no place where I can globally adjust printing borders. Is there any such thing, even if it means getting arcane with filter files and such? 2. I have SAMBA installed and have modified the smb.conf file to coincide to one I had in 7.1 that was working fine. I can see my linux host box in the network neighborhood on my wifes Win98 box. When I try to open it I get a dialog that says I need a password to access my linux box. I have looked in the Suse docs and gotten out my ORA book on SAMBA but I can't figure what it wants. I have tried all the passwords associated with either system. Any help with either of these problems would be appreciated. Scott
Robert Paulsen [ 28.04.2002 21:11:14 -0500]:
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3
Sorry, but the answer is RTFM. Did you read the mail sent to root about the changes in ssh? It doesn't seem so, as otherwise you'd have noticed that protocol 2 is now the default, which uses different keys (id_dsa or id_rsa). There is also a tool to convert the keys if you want to. If you want to continue using your old keys, either change your ~/.ssh/options to use protocol 1 or specify that in the call to ssh: ssh -1 thinkpad For more information refer to the ssh manpage. Philipp
On Mon, Apr 29, 2002 at 05:03:45AM +0200, Philipp Thomas wrote:
Robert Paulsen [ 28.04.2002 21:11:14 -0500]:
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3
Sorry, but the answer is RTFM.
BZZT! Wrong answer, but thanks for playing. I did RTFM. And I am using protocol 2. And no, this hasn't changed between 7.3 and 8.0 as far as I can tell. The mail message said that the changes started in 2.9p1, which is what I have in 7.3, either from the original install or from YOU.
Did you read the mail sent to root about the changes in ssh? It doesn't seem so, as otherwise you'd have noticed that protocol 2 is now the default, which uses different keys (id_dsa or id_rsa). There is also a tool to convert the keys if you want to.
If you want to continue using your old keys, either change your ~/.ssh/options to use protocol 1 or specify that in the call to ssh:
ssh -1 thinkpad
For more information refer to the ssh manpage.
-- Robert C. Paulsen, Jr. robert@paulsenonline.net
On Sun, Apr 28, Robert C. Paulsen Jr. wrote:
On Mon, Apr 29, 2002 at 05:03:45AM +0200, Philipp Thomas wrote:
Robert Paulsen [ 28.04.2002 21:11:14 -0500]:
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3
Sorry, but the answer is RTFM.
BZZT! Wrong answer, but thanks for playing.
I did RTFM. And I am using protocol 2. And no, this hasn't changed between 7.3 and 8.0 as far as I can tell. The mail message said that the changes
You are wrong here, it has changed. In 7.3, protocol 1 was the default. In 8.0, protocol 2 is the default. You can trust us, we made this change.
started in 2.9p1, which is what I have in 7.3, either from the original install or from YOU.
This doesn't matter, as long as you did not change the default protocol version in your configuration yourself.
Did you read the mail sent to root about the changes in ssh? It doesn't seem so, as otherwise you'd have noticed that protocol 2 is now the default, which uses different keys (id_dsa or id_rsa). There is also a tool to convert the keys if you want to.
If you want to continue using your old keys, either change your ~/.ssh/options to use protocol 1 or specify that in the call to ssh:
ssh -1 thinkpad
Did you try this or not? If yes, does it help? If not, why didn't you try it? Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrnstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
On Mon, Apr 29, 2002 at 11:29:53AM +0200, Thorsten Kukuk wrote:
On Sun, Apr 28, Robert C. Paulsen Jr. wrote:
On Mon, Apr 29, 2002 at 05:03:45AM +0200, Philipp Thomas wrote:
Robert Paulsen [ 28.04.2002 21:11:14 -0500]:
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3
Sorry, but the answer is RTFM.
BZZT! Wrong answer, but thanks for playing.
I did RTFM. And I am using protocol 2. And no, this hasn't changed between 7.3 and 8.0 as far as I can tell. The mail message said that the changes
You are wrong here, it has changed. In 7.3, protocol 1 was the default. In 8.0, protocol 2 is the default. You can trust us, we made this change.
started in 2.9p1, which is what I have in 7.3, either from the original install or from YOU.
This doesn't matter, as long as you did not change the default protocol version in your configuration yourself.
Did you read the mail sent to root about the changes in ssh? It doesn't seem so, as otherwise you'd have noticed that protocol 2 is now the default, which uses different keys (id_dsa or id_rsa). There is also a tool to convert the keys if you want to.
If you want to continue using your old keys, either change your ~/.ssh/options to use protocol 1 or specify that in the call to ssh:
ssh -1 thinkpad
Did you try this or not? If yes, does it help? If not, why didn't you try it?
"ssh -1 thinkpad" reports "Protocol major versions differ: 1 vs. 2". But your comments above about the default changing from 1 to 2 made me think. My .ssh/config consisted of a single line: Protocol 2 I figured that if 2 was the default I didn't need that line. I took it out and things started working. I can't explain it, but it works. All my systems have the following config files: /etc/ssh/ssh_config: Host * ForwardX11 yes Protocol 2,1 /etc/ssh/sshd_config: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication no PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd yes KeepAlive yes -- Robert C. Paulsen, Jr. robert@paulsenonline.net old -> paulsen@texas.net
"Robert C. Paulsen Jr." [ 28.04.2002 22:18:16 -0500]:
Sorry, but the answer is RTFM.
BZZT! Wrong answer, but thanks for playing.
Sorry, maybe I was a bit to harsh in my reply.
I did RTFM. And I am using protocol 2. And no, this hasn't changed between 7.3 and 8.0 as far as I can tell.
Oh yes, it has, in that starting with 8.0 we're using protocol version 2 by *default*. ~/.ssh/identity, ~/.ssh/identity.pub will be ignored by Version 2, as it uses ~/.ssh/id_[dr]sa, ~/.ssh/id_[dr]sa.pub instead. As soon as you want to do ssh from a Client that defaults to V2 (SuSE 8.0) to a Server that also supports V2, the protocol that is used is Version 2. This means that the Version 1 files ~/.ssh/identity, ~/.ssh/identity.pub are ignored and Version 1 keys in ~/.ssh/autorized_keys as well. Fortunately, there is an upgrade path from Protocol version 1 to 2: cd ~/.ssh ssh-keyconverter -k identity -> You need to enter the passphrase of ./identity here! ssh-keyconverter -a authorized_keys and add id_rsa.pub to authorized_keys of all accounts that you use like you do with identity.pub for Version 1. If you run openssh < 2.9.9p1 on the remote side you have to add it to authorized_keys2. Does that help? Philipp
On Tue, Apr 30, 2002 at 10:14:50AM +0200, Philipp Thomas wrote:
"Robert C. Paulsen Jr." [ 28.04.2002 22:18:16 -0500]:
Sorry, but the answer is RTFM.
BZZT! Wrong answer, but thanks for playing.
Sorry, maybe I was a bit to harsh in my reply.
OK, apology accepted -- I guess I was also a little over sensitive. Sorry about that.
I did RTFM. And I am using protocol 2. And no, this hasn't changed between 7.3 and 8.0 as far as I can tell.
Oh yes, it has, in that starting with 8.0 we're using protocol version 2 by *default*. ~/.ssh/identity, ~/.ssh/identity.pub will be ignored by Version 2, as it uses ~/.ssh/id_[dr]sa, ~/.ssh/id_[dr]sa.pub instead.
But, things are still not exactly as you describe. (And, also note that all my keys are dsa and I have been using protocol 2 for a long time already.) With a little experimentation I have found the following: BOTTOM LINE: If ~/.ssh/config file exists with the line "Protocol 2", ssh *insists* on using id_dsa. Without that line in the config file, ssh will use "identity" if it exists and "id_dsa" if identity does not exist. It uses "identity" even if it is using protocol 2. MY PROBLEM: I had a config file with "Protocol 2" but my key was in a file named other than "id_dsa". I had a soft link to the key file named "identity". With the older ssh the "identity" soft link is honored. With the new ssh the "identity" soft link is ignored (given that I had "Protocol 2" in the config file). SOLUTIONS: Either of the following works: 1. Remove the "Protocol 2" line and the identity soft link is honored. 2. Name my key files id_dsa and id_dsa.pub. ==============[ details of my experiments follow ]============================= (All run on SuSE 8.0.) Here is the original content of my .ssh directory: -rw-r--r-- 1 robert users 593 Apr 27 16:21 authorized_keys -rw-r--r-- 1 robert users 11 Apr 30 05:25 config -rw------- 1 robert users 736 Apr 27 16:21 id_rcp -rw-r--r-- 1 robert users 593 Apr 27 16:21 id_rcp.pub lrwxrwxrwx 1 robert users 6 Apr 30 05:21 identity -> id_rcp -rw-r--r-- 1 robert users 1221 Apr 28 20:28 known_hosts Note that I use *different names* for the key files (not id_dsa and id_dsa,pub). The content of the "config" file is one line: Protocol 2 With the above I cannot ssh out of the box when using 8.0 (but works OK with 7.3): ssh thinkpad Permission denied (publickey). Now here is the odd thing. If I simply delete the config file (not needed since protocol 2 is th default), it all starts working. Note that ssh does *not* ignore the identity file: ssh thinkpad Enter passphrase for key '/home/robert/.ssh/identity': Based on your description I changed things to look like this: -rw-r--r-- 1 robert users 593 Apr 27 16:21 authorized_keys -rw-r--r-- 1 robert users 11 Apr 30 05:17 config -rw------- 1 robert users 736 Apr 27 16:21 id_dsa -rw-r--r-- 1 robert users 593 Apr 27 16:21 id_dsa.pub -rw-r--r-- 1 robert users 1221 Apr 28 20:28 known_hosts And that works, too: ssh thinkpad Enter passphrase for key '/home/robert/.ssh/id_dsa': Note that it now uses id_dsa instead of identity. If I add a soft link: -rw-r--r-- 1 robert users 593 Apr 27 16:21 authorized_keys -rw------- 1 robert users 736 Apr 27 16:21 id_dsa -rw-r--r-- 1 robert users 593 Apr 27 16:21 id_dsa.pub lrwxrwxrwx 1 robert users 6 Apr 30 05:33 identity -> id_dsa -rw-r--r-- 1 robert users 1221 Apr 28 20:28 known_hosts it uses that: ssh thinkpad Enter passphrase for key '/home/robert/.ssh/identity': Now if I add back in the config file with "Protocol 2" ssh again looks for id_dsa instead of identity: ssh thinkpad Enter passphrase for key '/home/robert/.ssh/id_dsa': -- Robert C. Paulsen, Jr. robert@paulsenonline.net
Can anyone tell me which SuSE 8.00 package the rlogin daemon is in? I can't seem to find it. Thanks, alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 . Whenever you need a program you should run Y2, then Search and include descriptions. You will find it there. But why not use ssh instead, for security? - -- "Hello," he lied. -- Don Carpenter quoting a Hollywood agent On Tuesday 30 April 2002 09:18, alan@ibgames.com wrote:
Can anyone tell me which SuSE 8.00 package the rlogin daemon is in? I can't seem to find it.
Thanks,
alan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8zqo9nQ18+PFcZJsRAn3cAJ9f+pphSseMeJ3qqeqQKpmAzeyf1ACfX01e rzoQj500u0lS/7WtxcAiEvk= =3pEg -----END PGP SIGNATURE-----
It doesn't show up - I already tried that. ssh is overkill for what I want. But that's not the point. rlogin is a standard part of Unix, and the people who are going to use the network expect to have access to it. This is from the messages file, added by inetd: May 1 07:33:51 krystal in.rlogind[4406]: error: cannot execute /usr/sbin/in.rlogind: No such file or directory Clearly inetd expects the daemon to be there! I've no idea why YAST didn't install it in the first place. Anyone got any other ideas? alan On 30 Apr 2002 at 9:29, AnonymousCoward wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
. Whenever you need a program you should run Y2, then Search and include descriptions. You will find it there.
But why not use ssh instead, for security? - -- "Hello," he lied. -- Don Carpenter quoting a Hollywood agent
On Tuesday 30 April 2002 09:18, alan@ibgames.com wrote:
Can anyone tell me which SuSE 8.00 package the rlogin daemon is in? I can't seem to find it.
Thanks,
alan
On Wednesday 01 May 2002 07:43, alan@ibgames.com wrote:
Anyone got any other ideas?
zgrep in.rlogind /cdrom/ARCHIVES.gz ./CD3/suse/n3/rsh-server-0.17-188.i386.rpm: -rwxr-xr-x root root 15324 Feb 28 20:10 /usr/sbin/in.rlogind So install package rsh-server on the 3rd CD. regards Anders
"Robert C. Paulsen Jr." [ Tue, 30 Apr 2002 06:15:09 -0500]:
Now here is the odd thing. If I simply delete the config file (not needed since protocol 2 is th default), it all starts working. Note that ssh does *not* ignore the identity file
I guess this is because the default is to try protocol 2 first and then protocol 1, which would mean searching for id_[dr]sa first and then for identity. When you explicitly state 'protocol 2', ssh will *only* look for id_[dr]sa. Obviously it works even when identity contains a DSA or RSA key. Philipp
On Sun, 2002-04-28 at 23:03, Philipp Thomas wrote:
Robert Paulsen [ 28.04.2002 21:11:14 -0500]:
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3
Sorry, but the answer is RTFM.
let me say this which is sad for a user using suse.de in their email use this attitude. much better ignore the email
Did you read the mail sent to root about the changes in ssh? It doesn't seem so, as otherwise you'd have noticed that protocol 2 is now the default, which uses different keys (id_dsa or id_rsa). There is also a tool to convert the keys if you want to.
If you want to continue using your old keys, either change your ~/.ssh/options to use protocol 1 or specify that in the call to ssh:
ssh -1 thinkpad
For more information refer to the ssh manpage.
Philipp
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
Landy,
RR
let me say this which is sad for a user using suse.de in their email use this attitude.
Yes, you're right, I did react too harsh. Shows that there are times when I shouldn't write mails or at least proof read them. Philipp BTW, I do read the list so there is no need to additionally send me a private mail.
Robert Paulsen
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3 system where it all works fine. This includes my ~/.ssh directory and the /etc/ssh directory -- all copied from the 7.3 system to the new 8.0 system.
Could the problem be that the remote systems have cached your host.key from previous connections, now it has changed and therefore the remote systems suspect a possible man-in-the-middle attach and are refusing access. If you can[1], look at the logs on the system to which you are trying to connect as see if that shows anything. [1] Or if you cannot get access to the logs, ask the administrator to check for you.
On Sun, Apr 28, 2002 at 09:11:14PM -0500, Robert Paulsen wrote:
Hello,
Just installed SuSE 8.0 and cannot get ssh to work.
I can ssh *into* my new system, but not *out* to another system. I am using the very same configuration files and keys I have on my SuSE 7.3 system where it all works fine. This includes my ~/.ssh directory and the /etc/ssh directory -- all copied from the 7.3 system to the new 8.0 system.
Here is what I get (from the new SuSE 8.0 system to another, unrelated, SuSE system):
ssh thinkpad Permission denied (publickey).
Are you trying to use the agent feature for automatic login? Is the ssh-agent is running? Are you trying to ssh into another box as root or as a user? I am using ssh on SuSE 8 without problems to login into to several servers. Best Regards, Keith -- LPIC-2, MCSE, N+ Got spam? Get spastic http://spastic.sourceforge.net
participants (11)
-
alan@ibgames.com -
Anders Johansson -
AnonymousCoward -
Graham Murray -
J. Scott Thayer, M.D. -
Keith Winston -
Philipp Thomas -
Robert C. Paulsen Jr. -
Robert Paulsen
-
RR -
Thorsten Kukuk