pantz.org banner
Convert OpenSSH keys to ssh.com keys
Posted on 07-31-2009 01:07:39 UTC | Updated on 07-31-2009 01:14:05 UTC
Section: /software/ssh/ | Permanent Link

This example will show how to convert the OpenSSH key format to ssh.com (Tectia enterprise products) key format. It will also show you how to import the converted keys into ssh.com's Secure File Transfer Client.

1. Copy your private OpenSSH key from your unix system to your local windows machine. The private key is in your home dir ~/.ssh/. Usually it's called id_(something) like id_dsa. I'm going to call mine id_dsa for this example. Make sure your copy the file by transferring it over the network with scp/sftp, shared mount point you have to your your windows machine, or usb key. DO NOT cat the file in a terminal and then copy and paste it into a text editor on the windows machine. This will not work because of the differences in file formats of unix and windows.

2. Go and download Putty. Get the zip version from the website and unzip it. Find the program puttygen.exe in the unzipped files and execute it.

3. Click the "load" button. Select "files of all type" drop down. Then select all files. Point puttygen to your OpenSSH key that you copied over in step 1. Then click "open". Enter your keys pass phrase (If you have one. You should be using pass phrases on your keys.).

4. Click conversions->export->ssh.com key. Then save your converted private key with the name "id_dsa_sshcom". This is your converted private key. Names are important to the ssh.com program when importing keys. The key pair has to have matching names to be imported. You can call it anything you want but it has to take the format: key_name and key_name.pub.

5. Now click file->save public key. Save the public key with the name id_dsa_sshcom.pub in the same area (folder) you saved your private key in step 4. This is your public key that goes with your private key. Make sure the first part of the names match.

6. Open the ssh.com Secure File Transfer Client. Click edit->settings. Then go to user authentication->keys (in the left pane). Click the import button. Select "files of all type" drop down. Then select all files. Click the "Look in" drop down and point it to the folder where your "id_dsa_sshcom.pub" and "id_dsa_sshcom" files are. Select your public key id_dsa_sshcom.pub and click ok. Then ok out of the settings area. FYI: The ssh.com client will ask for the public key and then when it is selected is will match the private key that goes with it by the same name. Just without the .pub at the end.

7. Now you should be able to connect to any host that you have put your public keys on with ssh.com's Secure File Transfer Client.

8. After you have tested your connection make sure you delete your private key you copied over from your system when we started.

Del.icio.us! | Digg Me! | Reddit!

Related stories

Upgraded OpenSSH and now X11 forwarding fails
Posted on 12-13-2007 16:23:00 UTC | Updated on 12-13-2007 16:23:00 UTC
Section: /software/ssh/ | Permanent Link

I upgraded OpenSSH and X11 forwarding now fails with "X11 connection rejected because of wrong authentication". Lets say you upgraded OpenSSH on machine1 and you now try to ssh to machine2 and X11 forward fails. You get the following errors seen below.

user@machine:~$ ssh -X user@machine2
user@machine2's password:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.

The error you see when trying to open a program expecting X11 forwarding is the following.

user@machine2:~$ xterm
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

I figured out the problem seems to be trusted X11 forwarding is turned off or disabled. To fix it you have to ssh with the -Y parameter instead of the -X. The other thing you could do is edit your /etc/ssh/ssh_config file on machine1 and set "ForwardX11Trusted" to "yes". Which would look like "ForwardX11Trusted yes".

Del.icio.us! | Digg Me! | Reddit!

Related stories

Install OpenSSH from source on CentOS 4.5
Posted on 09-18-2007 15:13:00 UTC | Updated on 09-18-2007 15:13:00 UTC
Section: /software/ssh/ | Permanent Link

This is an install of OpenSSH from source on CentOS 4.5. It is not so much of an upgrade as it is a seperate install. SSH is your gateway into your machine. It is the access point for your machine over the network. Therefore it needs one of the most secure parts of your system. When a vulnerability comes out for it you have to update it ASAP. Problem is most distros don't make haste in getting packages out that update it. So your stuck with updating it yourself. So that rpm or deb package you installed is useless now that is vulnerable.

So what we are going to do is compile and install our own OpenSSH in the /opt tree (or wherever you want). Then whenever OpenSSL, OpenSSH, or Zlib have a security problem we can just quickly patch, recompile, and install a new version of any of them. No dependence on the distro's packages and their slower response times. The install below is what versions of the packages where avaliable at the time so change those accordingly.

First we download and install zlib. It does not seem to change version much so you might not need to do this each time.

cd /tmp
mkdir -p /opt/zlib
mkdir zlib1.23
cd zlib1.23/
wget http://www.zlib.net/zlib123.zip
unzip zlib123.zip
make
make install prefix=/opt/zlib/

Next we download and install OpenSSL.

cd /tmp
mkdir -p /opt/openssl
wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz
tar xvzf openssl-0.9.8e.tar.gz
cd openssl-0.9.8e
./config --prefix=/opt/openssl --openssldir=/opt/openssl
make
make test
make install

Now we download and install OpenSSH. This version is for linux so it will come from the portable code base. In the configure section we are pointing to the OpenSSL and zlib installs we did above. You also want to check to see where your xauth file is and put that path in accordingly. I just did the command "which xauth" and got the path but you might need to do a "find / -name xauth" to find it.

cd /tmp
mkdir -p /opt/openssh
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz
tar xvzf openssh-4.7p1.tar.gz
cd openssh-4.7p1
./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib
make
make install

We are going to use the SSHD init.d script to start and stop our version of SSH. This script comes with CentOS 4.5. To use it we need to change some paths. Check /etc/init.d/sshd make sure these point to /opt/openssh.

# Some functions to make the below more readable
KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

Then restart SSH.

/etc/init.d/sshd restart

Check with telnet that your SSH is giving out the right version number of the one you just installed. You can do this by telnetting to your OpenSSH server.

telnet localhost 22

We should get a response with "OpenSSH_4.7" in the title. The same version that was just installed.

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
apache
areca
arm
ati
auditd
awk
badblocks
bind
bios
bonnie
cable
carp
cat5
cdrom
centos
chart
cifs
cisco
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dns
dos
dovecot
dsniff
dvdauthor
e-mail
editor
emerald
ethernet
ext3
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flexlm
floppy
flowtools
fonts
format
ftp
gdm
gnome
greylisting
growisofs
grub
harddrive
hba
hex
hfsc
html
http
idl
ie
intel
ios
ipmi
iptables
irix
javascript
kde
kernel
kmail
kprinter
krecord
kubuntu
linux
logfile
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflow
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
putty
pxe
python
qemu
r-studio
raid
recovery
router
rpc
rsync
samba
schedule
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
spam
spamd
sql
sqlite
squid
ssh
ssh.com
ssl
subnet
subversion
sun
supermicro
switches
symbols
syslinux
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
tools
tr
trac
tuning
tunnel
vi
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
zdump
zic
zlib