SSH2 public key?

SSH2 public key?

[Richard Kenner]

Does this look like an SSH2 public key?  If so, here it is:

-----BEGIN RSA PRIVATE KEY-----
MIICWQIBAAKBgQCubPkSVuMmJX9NqkZgYbPDhLEFh4n498kqtcQM197Tic1FlaKj
hIS1oUSYTLvkP8svDilJj0WeXcekC67XPSdNN2aIPGSAnQgbt7SHvahhoxQPGN0v
tOCtoyVAXc+pqJNBDXOxc62UDI6GJWFaLVax0+EGkh6zjMsD0HOEXo8oVQIBIwKB
gG2jlT66RaLy/4/nX2/IYl2j3PwpT2lLSz9q8EKWUYxH/V7wV5n7hp4NmNTChLtb
TIP6RdZ3UFTqfX0OqGoJLqSGCnQr3KEx3CWbJkbAujxlnz3oUJ/h1SsL+Ib5frZf
L0Q0JdUJRZS01NcBmgHzlIHtIyQ6eCFiZQaqryxvYWujAkEA5N6820eNb1DBjYWy
afkAPi0u/3F9XnZX7E1iDAPW6dtl1HtqP4cmIrr8JM2SBz+cj2qIrUJEtHHlQmgM
kFu+LwJBAMMaEo+yT9LB2ITPB6y1pDeYFOICs/rFv8a1NiH2mVXVYxSNi44gdbLe
BWbBrcV8RpEEZyrAObvPqziu9u51hLsCQBooFZVnQ10tzPo7KlVBB1eQIqDZxS9d
+2t2jtzNPSIKcgmntF8IIZ2RtmqbJqG+IIVrQtH48ei8jzrKEBB/g3MCQELkXiKj
iRUPQuu0siyWDGrVDnlgAzFoXwJMwhpF623iwuJ5rDC6rALPx1ZuSjUUqnrc8Cvq
ImxHM2PkN2ezQ3MCQG4TPq2L+5I7UJLCm54dbd4jDu2ZvT0WUIOHOI6s7J+cAoWg
67cCRBDPK4C3zT+gYubTJBMq336h2Z3vbUemjB0=
-----END RSA PRIVATE KEY-----

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

> Does this look like an SSH2 public key?  If so, here it is:

That does not look like an SSH2 public key.  That looks like a private
key.

The public key should look more like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzcFqsu2HdsUECY80BlpVVHjzQZt3VI/LKErRTQkclXMLaDIAasAetjjw5ls63dynpcrbS1Gvhqg/iYzYSw3baLEL0TsuqM1uPxlyjIK706uvg8tILCXR76yp0l0c+5Isx2bfjZzdIjAhw56H66gatKxE4p+3GOPKd6omyinXjF8= ian@daffy.airs.com

You will normally find it in a file .ssh/id_rsa.pub or
.ssh/id_dsa.pub.

Ian

Re: SSH2 public key?

[Richard Kenner]

    Done.

OK, thanks.  Works again.  And is secure.  Now I just have to make sure
everything else keeps working ...

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

> Please remove the last one and add this one.  I'm sorry about all
> this, but exactly what goes where is a mystery to me (though it's
> indeed getting slightly less so).

Done.

Ian

Re: SSH2 public key?

[Richard Kenner]

    Installed.

OK, but now I can't get it to work anymore.  I have absolutely no idea where
to put the corresponding private key or what format to do it in.

Maybe I'll just leave that one in authorize_keys and use ssh2's keygen
to make a new key and put that one there too.

Please remove the last one and add this one.  I'm sorry about all
this, but exactly what goes where is a mystery to me (though it's
indeed getting slightly less so).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxP797H8PRlVLcuX0w7Zm0VGpniGv1FTFunAUxq+5ETOQ+AhtSPhz+m4d4qpbclzPgJRx9smRb0jtV64HYP5yHko2PvPaofOK07tHaatx6+Qi/dRMJ9GQEhx1YiNTHpZhOVM6e1qtlWGavN2hxWEyttMEE9KLHTkyVLwpGW55z0U= kenner@don

Thanks!

Re: SSH2 public key?

[Frank Ch. Eigler]

Hi -

iant wrote:

> Well, you sent out an SSH private key.  [...]
> Our problem is that we now have a security hole.  [...]

This really is not that big a problem, if kenner had a decent
passphrase that encrypts the private key.  It's no more useful to
an intruder than modern crypt fields in /etc/passwd or /shadow.

- FChE

Re: SSH2 public key?

[Richard Kenner]

    I don't know.  I mean, one could do it by putting it in an
    authorized_keys file and then using the private key with SSH to see if
    I could connect, but I assume from your other comments that that would
    be difficult for you.  

It's not a matter of being *difficult*, just unreliable because the
whole point is that I don't know which programs use which files, so I
couldn't do a reliable test.  What I was looking for was a program
that, given a pair of keys (a public and private), would say if they
correspond.  As I understand public key encryption, there's no reason
why such a program couldn't exist.

    But the basic idea behind SSH is this:

Right.  These parts I get.  It's the variety of different forms of keys,
SSH1 vs. SSH2 and all the various files that I'm confused about.

    That is unfortunate, but you should not have to get to each machine to
    create a new pair of SSH keys.  And, if you like, you can use a
    different private key for each one of your machines.  It just means
    having several public keys on gcc.gnu.org.

The issue isn't access to gcc.gnu.org, since I want to centralize
that, but making sure that I can get to *other* machines in each
possible pairing.

There are basically three cases:

(1) Between pairs of machines where my home directory is NFS-mounted.  There,
I just have to have a consistent .ssh directory, as I understand it,
provided that I handle both SSH1 and SSH2 clients.

(2) Between one machine in that set and gcc.gnu.org.

(3) Between SecureCRT from various machines and the machines in that set.
It's one of the SecureCRT clients here that I don't have access to right now.

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

> Please leave my original SSH1 key and add the following public key.  I'll
> have to figure out how to get the corresponding private key someplace

Installed.

Thanks.

Ian

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

>      Well, you sent out an SSH private key.  The question is whether you
>      generated a new private/public key pair, using ssh-keygen, before you
>      sent out the public key.  Or whether you just sent the public key you
>      already had.
> 
> Or sent some other random private key that happened to be in a file
> somewhere.  Given the amount of trouble I had getting everything to
> work, there are likely to be numerous public and private keys around in
> lots of files on different machines.  How would I go about seeing if
> that particular key private key corresponded to that particular public key?

I don't know.  I mean, one could do it by putting it in an
authorized_keys file and then using the private key with SSH to see if
I could connect, but I assume from your other comments that that would
be difficult for you.  I don't know how to do it using just an SSH
client.

>      Please generate a new SSH key pair, and send us the new public key.
> 
> I have absolutely no idea what that means or how to do it!  When I
> switched from using the VanDyke "crt" program to their "securecrt" program,
> I used it to generate various sets of keys that I copied to various places
> and kept hacking away until it worked. I never had a good understanding
> of the process since every machine seemed to have its own mechanism.

I've never used securecrt.  But the basic idea behind SSH is this:

1) SSH uses pairs of keys.
2) Each pair is composed of one private key and one public key.
3) You should keep the private key completely private.
4) You can give the public key to anybody.
5) The client has one or more private keys.
6) The server has one or more public keys.
7) When you connect, the client and server compare their keys in a
   secure manner.
8) If the client has a private key which matches a public key held on
   the server, access is permitted.

And, of course:
    http://www.employees.org/~satch/ssh/faq/ssh-faq.html

> So basically what you are suggesting would be starting from scratch.
> That would be bad enough except for the hurricane and now they are
> saying it might not be until November 15 that I can start the process of
> getting to one of those machines.

That is unfortunate, but you should not have to get to each machine to
create a new pair of SSH keys.  And, if you like, you can use a
different private key for each one of your machines.  It just means
having several public keys on gcc.gnu.org.

> As I understand it, I have to start with the Van Dyke program because it
> can't *import* a private key, but I'm not sure.  Is that right?  If so,
> I guess I can work on it, though it'll likely take much of the week.

I don't know anything about the Van Dyke program.  I looked online,
but unfortunately they don't seem to put their manual on the web.

Ian

Re: SSH2 public key?

[Richard Kenner]

Please leave my original SSH1 key and add the following public key.  I'll
have to figure out how to get the corresponding private key someplace

---- BEGIN SSH2 PUBLIC KEY ----
Subject: kenner
Comment: "kenner@YELLOW"
ModBitSize: 1024
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDF20sTmCRz3R2ZwUO6tTXpFvxjIEfopPiebTZ1
cQDWsdsMAWKDsw9cDVG1S5ihbYcSXfH/hpSKKiQ+aJB+r03qmAc0rOEIapzDbP5KCl7L
EF7SajgkP0xqF5O9EWDxAZYkbUOPv3hrkxq2yjSpSoC6k014AfEtAwbbmpXTO71nmQ==
---- END SSH2 PUBLIC KEY ----

Re: SSH2 public key?

[Daniel Jacobowitz]

On Tue, Oct 25, 2005 at 07:24:43PM -0400, Richard Kenner wrote:
>      Our problem is that we now have a security hole.  
> 
> Why?  I thought the overseers list was basically people who had root
> access and were therefore trusted?

It's a public, and publicly archived, list.

-- 
Daniel Jacobowitz
CodeSourcery, LLC

Re: SSH2 public key?

[Richard Kenner]

     Well, you sent out an SSH private key.  The question is whether you
     generated a new private/public key pair, using ssh-keygen, before you
     sent out the public key.  Or whether you just sent the public key you
     already had.

Or sent some other random private key that happened to be in a file
somewhere.  Given the amount of trouble I had getting everything to
work, there are likely to be numerous public and private keys around in
lots of files on different machines.  How would I go about seeing if
that particular key private key corresponded to that particular public key?

     Our problem is that we now have a security hole.  

Why?  I thought the overseers list was basically people who had root
access and were therefore trusted?

     Please generate a new SSH key pair, and send us the new public key.

I have absolutely no idea what that means or how to do it!  When I
switched from using the VanDyke "crt" program to their "securecrt" program,
I used it to generate various sets of keys that I copied to various places
and kept hacking away until it worked. I never had a good understanding
of the process since every machine seemed to have its own mechanism.

So basically what you are suggesting would be starting from scratch.
That would be bad enough except for the hurricane and now they are
saying it might not be until November 15 that I can start the process of
getting to one of those machines.

As I understand it, I have to start with the Van Dyke program because it
can't *import* a private key, but I'm not sure.  Is that right?  If so,
I guess I can work on it, though it'll likely take much of the week.

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

>      By the way, this public key doesn't correspond to the private key you
>      just sent out to lots of people plus a web archive, right?
> 
> I don't know enough about ssh to answer that question.

Well, you sent out an SSH private key.  The question is whether you
generated a new private/public key pair, using ssh-keygen, before you
sent out the public key.  Or whether you just sent the public key you
already had.

> I do know that I had a *huge* problem getting ssh to work in all the various
> configurations I needed it to and so I'm loath to change anything
> even if I knew what to change.  Moreover, one of the system I'd have
> to change since on is inaccessable for an unknown period of time due to
> Hurricane Wilma ...

Our problem is that we now have a security hole.  Our system doesn't
have the tightest security, but we do work at it, and this is a pretty
blatant hole.  It means that anybody sufficiently knowledgeable can do
anything they want on the system.  I don't think that is acceptable.

I'm going to switch your set of authorized keys back to what they were
before.  Please generate a new SSH key pair, and send us the new
public key.  Thanks.

Ian

Re: SSH2 public key?

[Richard Kenner]

     By the way, this public key doesn't correspond to the private key you
     just sent out to lots of people plus a web archive, right?

I don't know enough about ssh to answer that question.

I do know that I had a *huge* problem getting ssh to work in all the various
configurations I needed it to and so I'm loath to change anything
even if I knew what to change.  Moreover, one of the system I'd have
to change since on is inaccessable for an unknown period of time due to
Hurricane Wilma ...

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

> OK, so it must be this, then

By the way, this public key doesn't correspond to the private key you
just sent out to lots of people plus a web archive, right?

If it does, please generate a new key pair, and send the new public
key.  Thanks.

Ian

Re: SSH2 public key?

[Richard Kenner]

     > OK, so it must be this, then

     Installed.

That works.  Thanks.

Re: SSH2 public key?

[Ian Lance Taylor]

kenner@vlsi1.ultra.nyu.edu (Richard Kenner) writes:

> OK, so it must be this, then

Installed.

Ian

Re: SSH2 public key?

[Richard Kenner]

OK, so it must be this, then

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEArmz5ElbjJiV/TapGYGGzw4SxBYeJ+PfJKrXEDNfe04nNRZWio4SEtaFEmEy75D/LLw4pSY9Fnl3HpAuu1z0nTTdmiDxkgJ0IG7e0h72oYaMUDxjdL7TgraMlQF3PqaiTQQ1zsXOtlAyOhiVhWi1WsdPhBpIes4zLA9BzhF6PKFU= kenner@nile