Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 03-02-2007, 11:25 AM
ShortBus ShortBus is offline
Registered User
 
Join Date: Mar 2007
Posts: 2
SSH access with a private RSA key

I'm attempting to use SecureCRT with Amazon's EC2 service. The details probably aren't too relevant, but basically I can request that Xen-based virtual Linux server be created on-demand. To SSH into the virtual computer, I have to use a certificate, password logins are disabled. I have a RSA key that looks like this:

Code:
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQBujdbtxyIX4KaQPeTf5F/aOSBwSpZN4MjTixU2Yq8JkipjMYpYwpNj1TODzRJf
32DYyxQUvHbgg6NFCC2d9VYCL0Sys8mEuH68EVfUB4uqjpnaUn4VQcVZ9+BOJ/vZhSNbqmlheWPw
OXciwGwqEhpGKrSkNj8xvbmb+e7P988wnjh4jlb1g0KIfQoNseq/jzc2vYhUIiW9+8QWlsn3StXe
H5TAlqYCFwet9R5Rr6sS0BXsD0T9f+0XYFhsBtOEgrypgLUNSUywZHVfnbffumwbmTkl+vWVpgrW
qifBiD6badsAJAB76GUIpkrUBmdOjpm4mFwqDD64eg9zo1ZbnRkrAgMBAAECggEAAv4X6UvQonDU
UWc7gMv/xDpzpFaAhw8koIVNR7GYJ1wrhY/bvNdXggZNZK3yZ2H2jyfAHWeUmDM4AjBce8AeWeTJ
qUSwmcUcuR6HEBg8MZu2knBVNWIYY30QN01hxduSv3J3c8oDaIdFsE0hIGppB6k0RpWpVEFcetpj
GoIMu7YjmZk+r1f9mG93uK3IdGt69X/caZQjJu8LQ0WnFBnvXS9LmEl28KI1YmkedIW8EC2w060c
WzOqZ2aNP3bcmnJCYezb70DEF70BcDZrJZhTcMCUTy9nzSlp8tQr3qxDBl7W4vRdv7WV1iBmc6YX
uVjsBo8Aq5p0CWCQXXCwYxHM0QKBgQCokU+xIv8hjK4HU+12+cwlo1uI8544qznRSDxzHFYoAuCA
qAp0kYs34dcmZQEG/MxGcDGHevCwnGJqXSXdj9qlTyOifNfc7fJ0h7cEC/JJdpR3HyOWVgKzR2Ry
kjUr+f4dxtz7nnOGOsT5lYxcMqrb+qJrWCvc/nmaOQoPQh2BPwKBgQCn5WQqyc0DMeoeH25IKaGt
3Nxh4ADKSP0V+KWd48Gr9pHMSp0LVBinA3VLGNAJHPokI487lsJgsR0BrndRi8P3lDIW4JOWXGgF
SQ7pgeRFH2NFF1VajIW+RV63Xzce8x41mu/BnBwLpyv8GJd+x4V0gluk07wRhDupLb93Tf/BFQKB
gDLsy22RTBB/pqeyFEBoUONiCapDJx6po+r07sY73k9yJw7XNWln+u4j/VKtGvVYdAInrN7oJkTE
yfqmL2VTK1Pbp8FUBAbLn/7SbVj8nvLQryOZta+aRnCQ9eijAQtLGBk41dPyV6ZKpO1d34XjjLiu
bFkPpxi5jFUqPD7F05ITAoGAYKNehmplQIOIeBIrTgn4b7SCfSueCOL+GZlm6nxfy3U+8lG4Fv8u
uWL6LmF3zOcK66Y0GV5rP3Bye7dKInvKLkT0l8pn6NIDZZdpp+oF0+t/HhOSI25ixOP04qNBfOT+
7GfjvJL4aZStcotNF8IMBMXLrhHZXFO6a2RToeq/XQkCgYEAih707rZuM7xWejWc3Rj0ds0esUBK
XsZ6J/DF4ibmHw4yw/CHrT4nqevUIlGwPskHSEcT/izL+wGZkm8XPMutkExxDE3qzRTns0A78eVk
5aOxVtvSMKNpYEHh/JRdSL3FgibgYKzSCBdOU+oI8foKIdlIZE7Hz++AXZTrsPqu+Wg=
-----END RSA PRIVATE KEY-----
With Putty, I would just run this key through puttygen.exe and it would spit out a Putty-compatible key that I could use to log in with. How do I use the above key with SecureCRT?

The "private key" isn't an actual key. This message is rather useless without the illustration; please don't delete it again.

Last edited by ShortBus; 03-02-2007 at 01:46 PM.
Reply With Quote
  #2  
Old 03-02-2007, 06:43 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 919
Sorry about the private key deletion... one can never be too sure with text like "I have a RSA key that looks like this:"

Unfortunately, there's not an easy way to import one of these keys for use with SecureCRT at the moment. I'll add a feature request for the capability of easily importing such keys for use with SecureCRT, but in the meantime, you might be interested in the following workaround.

Once you have the new private key generated, you'll need to copy the key to a linux/unix machine and convert the key to an openssh key using the openssh ssh-keygen utility. Here's how I was able to do it (I'm using the example private key available from the following Amazon (web page). I copied the private key text from Amazon's web site and pasted it into a vi session while connected with SecureCRT to a Redhat Linux system. Here's what the process looked like:

Code:
redhat [~/.ssh]-> vi AmazonEC2Key
[Go into insert mode and paste here, then save file and exit vi]

Code:
redhat [~/.ssh]-> cat AmazonEC2Key
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp
HungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o/IX+0f2UcPoKCOVUR+jx71Sg
5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVbicL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/
ebIUlq1qTbHkLbCC2r7RTn8vpQWp47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5
i8BygR4s3mHKBj8l+ePQxG1kGbF6R4yg6sECmXn17MRQVXODNHZbAgMBAAECggEAY1tsiUsIwDl5
91CXirkYGuVfLyLflXenxfI50mDFms/mumTqloHO7tr0oriHDR5K7wMcY/YY5YkcXNo7mvUVD1pM
ZNUJs7rw9gZRTrf7LylaJ58kOcyajw8TsC4e4LPbFaHwS1d6K8rXh64o6WgW4SrsB6ICmr1kGQI7
3wcfgt5ecIu4TZf0OE9IHjn+2eRlsrjBdeORi7KiUNC/pAG23I6MdDOFEQRcCSigCj+4/mciFUSA
SWS4dMbrpb9FNSIcf9dcLxVM7/6KxgJNfZc9XWzUw77Jg8x92Zd0fVhHOux5IZC+UvSKWB4dyfcI
tE8C3p9bbU9VGyY5vLCAiIb4qQKBgQDLiO24GXrIkswF32YtBBMuVgLGCwU9h9HlO9mKAc2m8Cm1
jUE5IpzRjTedc9I2qiIMUTwtgnw42auSCzbUeYMURPtDqyQ7p6AjMujp9EPemcSVOK9vXYL0Ptco
xW9MC0dtV6iPkCN7gOqiZXPRKaFbWADp16p8UAIvS/a5XXk5jwKBgQCKkpHi2EISh1uRkhxljyWC
iDCiK6JBRsMvpLbc0v5dKwP5alo1fmdR5PJaV2qvZSj5CYNpMAy1/EDNTY5OSIJU+0KFmQbyhsbm
rdLNLDL4+TcnT7c62/aH01ohYaf/VCbRhtLlBfqGoQc7+sAc8vmKkesnF7CqCEKDyF/dhrxYdQKB
gC0iZzzNAapayz1+JcVTwwEid6j9JqNXbBc+Z2YwMi+T0Fv/P/hwkX/ypeOXnIUcw0Ih/YtGBVAC
DQbsz7LcY1HqXiHKYNWNvXgwwO+oiChjxvEkSdsTTIfnK4VSCvU9BxDbQHjdiNDJbL6oar92UN7V
rBYvChJZF7LvUH4YmVpHAoGAbZ2X7XvoeEO+uZ58/BGKOIGHByHBDiXtzMhdJr15HTYjxK7OgTZm
gK+8zp4L9IbvLGDMJO8vft32XPEWuvI8twCzFH+CsWLQADZMZKSsBasOZ/h1FwhdMgCMcY+Qlzd4
JZKjTSu3i7vhvx6RzdSedXEMNTZWN4qlIx3kR5aHcukCgYA9T+Zrvm1F0seQPbLknn7EqhXIjBaT
P8TTvW/6bdPi23ExzxZn7KOdrfclYRph1LHMpAONv/x2xALIf91UB+v5ohy1oDoasL0gij1houRe
2ERKKdwz0ZL9SWq6VTdhr/5G994CK72fy5WhyERbDjUIdHaK3M849JJuf8cSrvSb4g==
-----END RSA PRIVATE KEY-----
[ now fix file permissions on this so that ssh-keygen doesn't bark at you]

Code:
redhat [~/.ssh]-> chmod og-r AmazonEC2Key
[ Now run ssh-keygen to rewrite the key in the OpenSSH format ]

Code:
redhat [~/.ssh]-> ssh-keygen -p -f AmazonEC2Key
Key has comment 'AmazonEC2Key'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
[ See how the written format compares with the original format above ]

Code:
redhat [~/.ssh]-> cat AmazonEC2Key
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFx
THgElQiJLChpHungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o
/IX+0f2UcPoKCOVUR+jx71Sg5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVb
icL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/ebIUlq1qTbHkLbCC2r7RTn8vpQWp
47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5i8BygR4s3mHKBj8l
+ePQxG1kGbF6R4yg6sECmXn17MRQVXODNHZbAgMBAAECggEAY1tsiUsIwDl591CX
irkYGuVfLyLflXenxfI50mDFms/mumTqloHO7tr0oriHDR5K7wMcY/YY5YkcXNo7
mvUVD1pMZNUJs7rw9gZRTrf7LylaJ58kOcyajw8TsC4e4LPbFaHwS1d6K8rXh64o
6WgW4SrsB6ICmr1kGQI73wcfgt5ecIu4TZf0OE9IHjn+2eRlsrjBdeORi7KiUNC/
pAG23I6MdDOFEQRcCSigCj+4/mciFUSASWS4dMbrpb9FNSIcf9dcLxVM7/6KxgJN
fZc9XWzUw77Jg8x92Zd0fVhHOux5IZC+UvSKWB4dyfcItE8C3p9bbU9VGyY5vLCA
iIb4qQKBgQDLiO24GXrIkswF32YtBBMuVgLGCwU9h9HlO9mKAc2m8Cm1jUE5IpzR
jTedc9I2qiIMUTwtgnw42auSCzbUeYMURPtDqyQ7p6AjMujp9EPemcSVOK9vXYL0
PtcoxW9MC0dtV6iPkCN7gOqiZXPRKaFbWADp16p8UAIvS/a5XXk5jwKBgQCKkpHi
2EISh1uRkhxljyWCiDCiK6JBRsMvpLbc0v5dKwP5alo1fmdR5PJaV2qvZSj5CYNp
MAy1/EDNTY5OSIJU+0KFmQbyhsbmrdLNLDL4+TcnT7c62/aH01ohYaf/VCbRhtLl
BfqGoQc7+sAc8vmKkesnF7CqCEKDyF/dhrxYdQKBgC0iZzzNAapayz1+JcVTwwEi
d6j9JqNXbBc+Z2YwMi+T0Fv/P/hwkX/ypeOXnIUcw0Ih/YtGBVACDQbsz7LcY1Hq
XiHKYNWNvXgwwO+oiChjxvEkSdsTTIfnK4VSCvU9BxDbQHjdiNDJbL6oar92UN7V
rBYvChJZF7LvUH4YmVpHAoGAbZ2X7XvoeEO+uZ58/BGKOIGHByHBDiXtzMhdJr15
HTYjxK7OgTZmgK+8zp4L9IbvLGDMJO8vft32XPEWuvI8twCzFH+CsWLQADZMZKSs
BasOZ/h1FwhdMgCMcY+Qlzd4JZKjTSu3i7vhvx6RzdSedXEMNTZWN4qlIx3kR5aH
cukCgYA9T+Zrvm1F0seQPbLknn7EqhXIjBaTP8TTvW/6bdPi23ExzxZn7KOdrfcl
YRph1LHMpAONv/x2xALIf91UB+v5ohy1oDoasL0gij1houRe2ERKKdwz0ZL9SWq6
VTdhr/5G994CK72fy5WhyERbDjUIdHaK3M849JJuf8cSrvSb4g==
-----END RSA PRIVATE KEY-----
[ Now create a .pub file by extracting the public portion of the key file. SecureCRT will require both the private key and the public key ]

Code:
redhat [~/.ssh]-> ssh-keygen -e -f AmazonEC2Key >> AmazonEC2Key.pub
redhat [~/.ssh]-> cat AmazonEC2Key.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2047-bit RSA, converted from OpenSSH by user@host"
AAAAB3NzaC1yc2EAAAADAQABAAABAG4sWDm6Meu2bWOe61K6g7xd7nouVP4czy//GRprf0
Sy0zf9oXFMeASVCIksKGke6eBdDb1VNzytzVtbSWR2Lbc4fl6qQwcaG8TCprQdYBJQyWXi
jej8hf7R/ZRw+goI5VRH6PHvVKDkBTnYRB9qcifdlDyUVbsR2nlrergOGMaVQpOgdVuJwv
kT6DjnN8H3nAjLLBZl95b9RQXcukZnKr95shSWrWpNseQtsILavtFOfy+lBanjsEZVga0Z
IEylNE/mGdvPO6qPeK2SIseNTf1LawkInROsnHmLwHKBHizeYcoGPyX549DEbWQZsXpHjK
DqwQKZefXsxFBVc4M0dls=
---- END SSH2 PUBLIC KEY ----
At this point, I was able to use the SFTP tab of SecureCRT to securely copy (as ASCII) the AmazonEC2Key* files to my local Windows machine and point my SecureCRT session to use them with publickey authentication.

Code:
sftp> pwd
/home/user
sftp> cd .ssh
sftp> pwd
/home/user/.ssh
sftp> ls A*
AmazonEC2Key          AmazonEC2Key.pub
sftp> get -a AmazonEC2Key
Downloading AmazonEC2Key from /home/user/.ssh/AmazonEC2Key
  100% 1KB      1KB/s 00:00:00     
sftp> get -a AmazonEC2Key.pub
Downloading AmazonEC2Key.pub from /home/user/.ssh/AmazonEC2Key.pub
  100% 515 bytes    515 bytes/s 00:00:00     
sftp> lpwd
C:\temp

Does this process work for you?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support

Last edited by jdev; 03-05-2007 at 11:22 AM.
Reply With Quote
  #3  
Old 03-03-2007, 02:11 PM
ShortBus ShortBus is offline
Registered User
 
Join Date: Mar 2007
Posts: 2
Jake,

Thanks for the workaround and your time. Worked great! However it is quite tedious.

Another option that I might consider is installing cygwin my Windows box and then also install the platform independant version OpenSSH. I could then write a simple script to automate things a bit. However I was hoping to demo the SecureCRT/EC2 combo to other developers in my company. The extra steps needed kind of negate the "wow factor" a bit though. I purchased SecureCRT last Friday, so hopefully I'll look forward to the added feature in an upcoming release. For now I personally will use the workaround method. Thanks again.

Edit: Forgot to mention. It took me a bit to realize that the private key can't have a file extension. Why does this limitation exist?
Reply With Quote
  #4  
Old 03-05-2007, 12:17 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 919
> It took me a bit to realize that the private key can't
> have a file extension. Why does this limitation exist?

The private key can have an extension, but the associated .pub file must then also match.

For example, say you named your private key as:
"this.that.the.other.private.key"

SecureCRT looks for the corresponding public key as:
"this.that.the.other.private.key.pub"

Does this help to answer your question?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #5  
Old 10-16-2009, 03:36 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Support for Amazon EC2 keys has been implemented in SecureCRT 6.5 beta 2 and later. If you would like to try it, you can download it from the following web page.
http://www.vandyke.com/download/securecrt/download.html
To use the Amazon EC2 private key:
  • Create an SSH2 session
  • Specify PublicKey as the authentication method in Session Options / SSH2
  • Set the Amazon EC2 key as the private key to use for the session
    • Select PublicKey in Session Options / SSH2
    • Click the Properties button
    • Select Use session public key setting
    • Browse to or enter the path to the EC2 private key in the entry box under Use identity or certificate file
  • Connect to the EC2 server
If you try the new Amazon EC2 key functionality in SecureCRT and have comments, we'd like to hear your feed back!
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]

Last edited by bgagnon; 07-07-2010 at 11:38 AM.
Reply With Quote
  #6  
Old 10-27-2010, 07:17 AM
soonium soonium is offline
Registered User
 
Join Date: Oct 2010
Posts: 1
Unhappy Amazon EC2 - cant use the process described.

Hi,

I am evaluating SecureCRT 6.6.0 (278) for use with our Amazon EC2 estate. I have downloaded my .pem file from Amazon and followed the process outlined in miked's post - however i just keep getting a message saying that:

"Public-key authentication with server failed for user <user>. Please verify username and public/private key pair"

Any suggestions?

-- Lawrence
Reply With Quote
  #7  
Old 10-27-2010, 11:14 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hello soonium,

Can you send SecureCRT trace options to support@vandyke.com with subject Forum Thread 2185 attn Mike?

To enable trace options and capture the problem:
  • Open SecureCRT's main "File" pull-down menu and select "Trace Options".
  • Connect to the remote machine. With trace options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.
  • Once the authentication failure occurs, please right-click inside the terminal window and choose "Select All", then right-click again and choose "Copy" to transfer the information to the Windows clipboard.
  • Finally, open a text editor like 'Notepad', paste the information from the Windows clipboard into the editor program, save it as a text file, then send it as an e-mail attachment.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #8  
Old 09-01-2011, 11:50 PM
Zhinjio2 Zhinjio2 is offline
Registered User
 
Join Date: Sep 2011
Posts: 1
I am also experiencing this exact issue. I've emailed the support email with my trace file. I *believe* the critical error is this:

[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.

But I will leave the analysis in your capable hands. Was that file maybe left out of the 64 bit bundle somehow?

- ZJ

PS ... my original username is Zhinjio. I attempted to do a password recovery on that account, and the email to my address elicited the following response in my SMTP logs:

@400000004e604e5606224a24.s:@400000004e60454f1b8616d4 spamdyke[9050]: ALLOWED from: www@vandyke1.vandyke.com to: xxx@yyyyy.org origin_ip: xxx.yyy.z.a origin_rdns: vandyke1.vandyke.com auth: (unknown)
@400000004e604e5606224a24.s:@400000004e6045c8193db15c spamdyke[9050]: TIMEOUT from: www@vandyke1.vandyke.com to: xxx@yyyyy.org origin_ip: xxx.yyy.z.a origin_rdns: vandyke1.vandyke.com auth: (unknown) reason: TIMEOUT

Any idea why the passwd email would timeout?
Reply With Quote
  #9  
Old 09-02-2011, 07:28 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hello Zhingio2,

We received your e-mail messages and will respond via e-mail. When the problem is resolved we can post a summary here.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #10  
Old 09-02-2011, 11:32 AM
Zhinjio Zhinjio is offline
Registered User
 
Join Date: Apr 2010
Posts: 6
Ok, so I'm posting to followup and maybe this will save some folks a few hours of headaches if they run up against this wall in their own EC2 workings....

First of all, ultimately, this was no fault of SecureCRT at all. It was functioning exactly as it ought to.

They key thing here (no pun intended) is the way that the various EC2 AMIs are built, and more to the point, whether or not they have support for the dynamically generated keypairs built in or not.

When you follow the guides for launching instances, it gives you options for generating a keypair either during the process, or using an existing key pair that is associated with your account already. So long as you've properly downloaded that original .pem file, you can use that with SecureCRT without problems. The instructions given here are exactly correct.

The problem is that not all AMIs support that "automated" integration with the generated key pairs. In essence, the "authorized_host" file on the new instance doesn't have the keypair setup, so any attempts to connect will fail with errors:
  • "Public-key authentication with server failed for user <user>. Please verify username and public/private key pair"
  • "Server refused our public key" or "Key refused"
  • "Unable to authenticate using any of the configured authentication methods."

The solution? Use an AMI that does support that. Using one of the Amazon Linux (instead of say, Redhat, Ubuntu, etc) is a good first guess. Select EBS images as a filter might also help. It would be nice if the interface just flagged ones that supported it and not so you could just filter on it, but oh well.

Once I built my instance using one of those "approved" AMIs, they key worked perfectly, regardless of client (standard CLI ssh, puTTY or SecureCRT). I would say that SecureCRT's implementation of just accepting the private key in that dialog is probably the "cleanest" of the three, since no key munching or processing is needed. You just Browse to the provided .pem and you're good to go.

Suggestion: it is, I would argue, a discrepancy to allow the use of a private key when your dialog clearly states that you're browsing for a public key. Yes, I agree that this is an exceptional case. But from a "Security Purist" perspective, it is, perhaps, misleading. I think you might agree that the security field, in general, is a bit more exacting when it comes to technical correctness of such things.

I hope this helps someone else out, and maybe avoids the several hours of frustration I ended up with.

Cheers.

PS - Obviously, I got my original username back. Minors delays aside in email aside, that all got worked out.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 05:46 AM.