Not able to use moonshot-ssh from a remote host
I thought it would be useful exercise to run a remote moonshot shell
from my home moonshotized VM to the test VM at the office through a tunnel.
This was to understand whether or not moonshot-ssh is relevant to my user-case.
My user-case is that a guest can be given privileges to work on a client inside duckworld
via ssh using their existing pan-European user identity
It occurred to me that if I am modifying the sshd pam stack to use pam_gss,
perhaps I am ignoring what moonshot-ssh already has to offer.
I was interested to know if moonshot-ssh would do what pam_gss does with regards
to GSSAPI. However, moonshot-ssh should be run from outside the firewall
and pam stack changes are on the target client inside the firewall.
First I set up the config file to allow me to either connect using
the standard ssh/sshd or the moonshot ssh/sshd
I did not try to use the moonshot client with the standard sshd
or the standard client with the moonshot-ssh server.
First I tunnelled in using the standard ssh
which gave me the fingerprints for the server,
established the tunnel and port forwarding.
Note:
The GSS settings in the config file require keys,
but we did not store any keys in steve's .ssh/ folder when we set up moonshot,
instead we had a .gss_eap_id containing username/password.
So I created the same file on my local steve account.
I exited out of 'steve's remote ssh shell then tried getting a moonshot ssh connection.
The result is below, but the debugging suggests it requires local steve to have keys set-up.
Which appears to be different behaviour to running directly on the target host.
Anyway, that already answered one question as our
guest users are concerned as they won't be using this method of authentication.
However, what happens if keys are created on my local steve's account?
The result was unexpected and follows below.
The key was found but there was a complaint about the format.
In conclusion, my user case requires users to use the standard ssh/sshd
along with changes to the pam stack and username/password.
------------------------------------------------------------------------
Extracts from .ssh/config are appended
(some usernames and host names/ip addresses have been changed)
------------------------------------------------------------------------
Session history follows:
[steve@localhost ~]$ ssh -f -q -N nxuser; ssh steve22testshib2
The authenticity of host 'localnxuser (111.111.222.2)' can't be established.
RSA key fingerprint is ff:f9:be:96:ff:b9:f4:d7:8c:ec:9d:e1:45:c9:fb:68.
Are you sure you want to continue connecting (yes/no)? yes
[log in to unmask] password:
The authenticity of host 'localtestshib2 ([127.0.0.1]:22201)' can't be established.
RSA key fingerprint is 3b:54:14:77:30:3f:47:f1:d7:52:38:61:1d:2b:da:f6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localtestshib2' (RSA) to the list of known hosts.
steve@localhost's password:
Last login: Fri Nov 11 15:09:24 2011 from localhost.localdomain
[steve@sci-ws006 ~]$ whoami
steve
[steve@sci-ws006 ~]$
[steve@sci-ws006 ~]$ exit
logout
Connection to localhost closed.
---------------------------------------------------------------
[steve@localhost ~]$
[steve@localhost ~]$ cat .gss_eap_id
steve
testing
----------------------------------------------------------------
[steve@localhost ~]$ whereis ssh
ssh: /usr/bin/ssh /etc/ssh /opt/moonshot/bin/ssh /usr/share/man/man1/ssh.1.gz
[steve@localhost ~]$ /opt/moonshot/bin/ssh moonssh2222
ssh_exchange_identification: Connection closed by remote host
[steve@localhost ~]$
[steve@localhost ~]$ /opt/moonshot/bin/ssh -vvv moonssh2222
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/steve/.ssh/config
debug1: Applying options for moonssh2222
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22202.
debug1: Connection established.
debug1: identity file /home/steve/.ssh/identity type -1
debug1: identity file /home/steve/.ssh/id_rsa type -1
debug1: identity file /home/steve/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
[steve@localhost ~]$
[steve@localhost ~]$ /opt/moonshot/bin/ssh -l "" moonssh2222
ssh_exchange_identification: Connection closed by remote host
[steve@localhost ~]$ /opt/moonshot/bin/ssh -l steve moonssh2222
ssh_exchange_identification: Connection closed by remote host
[steve@localhost ~]$
--------------------------------------------------------
[steve@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/steve/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/steve/.ssh/id_rsa.
Your public key has been saved in /home/steve/.ssh/id_rsa.pub.
The key fingerprint is:
dd:ca:3a:b6:d7:5e:8d:01:33:96:d0:bc:87:9d:28:61 [log in to unmask]
The key's randomart image is:
+--[ RSA 2048]----+
| .o |
| E.o. |
| . .*= . |
| ..o+++ |
| S ..... |
| . . + |
| o. o .|
| o.. .. |
| .o+ .. |
+-----------------+
[steve@localhost ~]$
----------------------------------------------------------
[steve@localhost ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub steve22testshib2
[steve@localhost ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub steve22testshib2
steve@localhost's password:
Now try logging into the machine, with "ssh 'steve22testshib2'", and check in:
.ssh/authorized_keys
[steve@localhost ~]$ ssh steve22testshib2
steve@localhost's password:
Last login: Sat Nov 12 09:24:08 2011 from cs04r-sc-serv-46.duckworld.ac.uk
[steve@sci-ws006 ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0zcYFvBbkq/ydbnPC1HWR42YsH3nEB+ReI6BoEGxXBw98BN6rmHoPY81P8S+FuUTfGIH+a4JR9YHieW8xlcGMXpkgbkQu0OfAwa/qZs5U0VS4m5rmvV1wUtS9UToTI55OEkM3/ORt4AfYVhiVpINRo7u7Wbo6FtafpPSmoDueb1tGkxzH/YMNtWWdfYsjCOEwd8PkpuOkzbzXNUoRra4XxF8oo+C0wAptssm8ABP4bL69tC+9p5zXZgCmK45s3/yA+bL6v5EKvSZ/zDTq908nYkD3gp6voh7Xz2x9gzefHV4wkApQn3C4vNirb9jsfUx0ERGioCTsKMkQKGWLWKsyQ== [log in to unmask]
[steve@sci-ws006 ~]$ exit
logout
Connection to localhost closed.
[steve@localhost ~]$
------------------------------------------------------------------
[steve@localhost ~]$ /opt/moonshot/bin/ssh -vvv -l "" moonssh2222
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/steve/.ssh/config
debug1: Applying options for moonssh2222
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22202.
debug1: Connection established.
debug1: identity file /home/steve/.ssh/identity type -1
debug3: Not a RSA1 key file /home/steve/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
<snip>
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/steve/.ssh/id_rsa type 1
debug1: identity file /home/steve/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
[steve@localhost ~]$
=========================================================
extract from .ssh/config:
Host nxuser
HostName nx-user.duckworld.ac.uk
Port 22
User dduck69
HostKeyAlias localnxuser
LocalForward 22122 testshib1.duckworld.ac.uk:22
LocalForward 22389 testshib1.duckworld.ac.uk:389
LocalForward 22201 testshib2.duckworld.ac.uk:22
LocalForward 22202 testshib2.duckworld.ac.uk:2222
LocalForward 22322 sci-ws006.duckworld.ac.uk:22
Host testshib1
HostName localhost
User brian
Port 22122
HostKeyAlias localtestshib1
Host testshib2
HostName localhost
User brian
Port 22201
HostKeyAlias localtestshib2
Host steve22testshib2
HostName localhost
User steve
Port 22201
HostKeyAlias localtestshib2
Host moonssh2222
HostName localhost
GSSAPIKeyExchange yes
GSSAPIAuthentication yes
# # # User steve
Port 22202
HostKeyAlias localtest2222
|
