I am running openssh-2.3.0p1/openssl-0.9.6 on several linux machines
(2.0.38 and 2.2.17).
I am having two problems:
1. I have created DSA public keys on all of my machines with ssh-keygen -d.
I have copied the id_dsa.pub keys all to one machine, and put them all (cat *)
into .ssh/authorized_keys2. I then copied this file into the .ssh directories
on all of my machines, so every on machine, I now have my own key and the
public keys of all of the machines.
I then try to ssh from one machine to another with ssh -2. It asks me
for my passphrase. However, authentication fails. I have included the
output of 'ssh -2 -v grissom' at the end of this message.
2. I am running a mysql server on shepard, but I do not want to connect to
it from across the internet for security purposes. Port 3306 is blocked at
the firewall, and the mysql server grant tables allow only users from
127.0.0.1.
Before upgrading to OpenSSH, I was using ssh 1.2.27. In theory, I should
have been able to 'ssh -L 3306:127.0.0.1:3306 shepard' from my local machine.
When I did this, I got no error, and port 3306 was open for listening, but
I could not connect to the remote machine. I tried an experiment to see if
I had the -L numbers correct: 'ssh -L 25000:127.0.0.1:25 shepard'. When I
telnetted to local port 25000, I was indeed connected to the mail server on
shepard. The MySQL port was not forwarded properly, though.
I hoped that this would work under OpenSSH, but it is worse! After typing
that first command, it asks for my password. Upon supplying it, I get an
error: 'Disconnecting: cannot listen port: 3306'. I tried using local port
3333 (picked at random). It complained about that port, also.
Here are the verbose results, as promised. I have changed the IP
addresses to 192.168.15/24, but otherwise they are verbatim.
#1:
shepard$ ssh -2 -v grissom
SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).
debug: Reading configuration data /usr/local/etc/ssh_config
debug: ssh_connect: getuid 1000 geteuid 0 anon 0
debug: Connecting to grissom [192.168.15.1] port 22.
debug: Seeding random number generator
debug: Allocated local port 676.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1
debug: no match: OpenSSH_2.3.0p1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.3.0p1
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL PROTECTED]
debug: got kexinit: hmac-sha1,hmac-md5,[EMAIL PROTECTED]
debug: got kexinit: hmac-sha1,hmac-md5,[EMAIL PROTECTED]
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 496/1024
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Host 'grissom' is known and matches the DSA host key.
debug: bits set: 529/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: next auth method to try is publickey
debug: try pubkey: /var/home/jackmc/.ssh/id_dsa
debug: PEM_read_bio_DSAPrivateKey failed
debug: read DSA private key done
Enter passphrase for DSA key '/var/home/jackmc/.ssh/id_dsa':
debug: read DSA private key done
debug: sig size 20 20
debug: authentications that can continue: publickey,password
debug: next auth method to try is publickey
debug: next auth method to try is password
jackmc@grissom's password:
#2:
glenn$ ssh -L 3333:127.0.0.1:3306 -v shepard
SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Seeding random number generator
debug: ssh_connect: getuid 1000 geteuid 0 anon 0
debug: Connecting to shepard [192.168.15.3] port 22.
debug: Seeding random number generator
debug: Allocated local port 916.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1
debug: no match: OpenSSH_2.3.0p1
debug: Local version string SSH-1.5-OpenSSH_2.3.0p1
debug: Waiting for server public key.
debug: Received server public key (2048 bits) and host key (1024 bits).
debug: Host 'shepard' is known and matches the RSA host key.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug: Remote: Server has been configured to ignore .rhosts.
debug: Server refused our rhosts authentication or host key.
debug: Doing password authentication.
jackmc@shepard's password:
debug: Requesting pty.
debug: Connections to local port 3333 forwarded to remote address 127.0.0.1:3306
socket: Invalid argument
debug: Local forwarding listening on 127.0.0.1 port 3333.
bind: Cannot assign requested address
Disconnecting: cannot listen port: 3333
debug: Calling cleanup 0x805edac(0x0)
--
"What we observe is not nature itself, but nature Jack McKinney
exposed to our method of questioning. http://www.lorentz.com
-Werner Karl Heisenberg [EMAIL PROTECTED]
1024D/D68F2C07 4096g/38AEF076
PGP signature
