[ale] Was Routing: Now VPN

Chris Fowler cfowler at outpostsentinel.com
Sun Dec 2 15:02:42 EST 2001


Almost there.  Any help would be appreciated

I created an id_dsa file like this:

ssh-keygen -d -f id.dsa -P ""

Here is output of  ssh when added with -v
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to skylab.outpostsentinel.com [64.129.133.253] port 22.
debug: Allocated local port 1022.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.1.1
debug: Seeding random number generator
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-rsa,ssh-dss
debug: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug: got kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug: got kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client blowfish-cbc hmac-sha1 none
debug: kex: client->server blowfish-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEXDH_INIT.
debug: bits set: 539/1024
debug: Wait SSH2_MSG_KEXDH_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: Host 'skylab.outpostsentinel.com' is known and matches the DSA host
key.
debug: bits set: 503/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey
debug: try pubkey: /root/.ssh/id_dsa
debug: read DSA private key done
debug: sig size 20 20
debug: authentications that can continue: publickey
Permission denied (publickey).
debug: Calling cleanup 0x805db00(0x0)


Here is my /etc/ssh/sshd_config on the server:
#       $OpenBSD: sshd_config,v 1.34 2001/02/24 10:37:26 deraadt Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
KeepAlive yes

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Comment to enable s/key passwords or PAM interactive authentication
# NB. Neither of these are compiled in by default. Please read the
# notes in the sshd(8) manpage before enabling this on a PAM system.
ChallengeResponseAuthentication no

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

CheckMail no
UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem       sftp    /usr/libexec/openssh/sftp-server
-----Original Message-----
From: Chris Fowler [mailto:cfowler at outpostsentinel.com]
To: ale at ale.org
Sent: Sunday, December 02, 2001 2:45 PM
To: ale at ale.org
Subject: [ale] Was Routing: Now VPN


Okay,

I begining to make things happen on the VPN side.
It seems like I get a: Permission Denied (public key) when I execute ssh
I did create the /root/.ssh/identity.vpn and I did edit the
/etc/ssh/sshd_config options on
the server.  Is there something that may be missing that is not mentioned in
the howto?


ssh -t -e none -o 'Batchmode yes' -c blowfish -i
/root/.ssh/identity.vpn.pub -l vpn skylab
Permission denied (public key)

Here is script:
[root at mir vpn]# cat vpnd
#! /bin/sh

USERNAME=vpn
IDENTITY=/root/.ssh/identity.vpn
VPN_SERVER=ssh
CRYPTO=blowfish

export USERNAME IDENTITY VPN_SERVER CRYPTO

ln -sf /usr/bin/ssh /usr/local/vpn/${VPN_SERVER}

killall $VPN_SERVER 1>/dev/null 2>/dev/null
sleep 5
killall -9 $VPN_SERVER 1>/dev/null 2>/dev/null

echo -n "Starting VPN tunnel: "
/usr/local/vpn/pty-redir /usr/local/vpn/${VPN_SERVER} -t -e none -o
'Batchmode yes' -c $CRYPTO -i $IDENTITY -l $USERNAME  skylab >
/tmp/vpn-device
sleep 15

/usr/sbin/pppd `cat /tmp/vpn-device` noipdefault ipcp-accept-local
ipcp-accept-remote local noauth nocrtscts lock nodefaultroute
sleep 15
echo -n "pppd "

/sbin/route add -net 192.168.2.0 gw 192.168.2.254  255.255.255.0
echo -n "route"

echo " "


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list