======================================================================= Latest version is "x509-6.1.1" and location is: "http://roumenpetrov.info/openssh/x509-6.1.1/README.x509v3" Please check main page too: "http://roumenpetrov.info/openssh/index.html" Readme file for this version follow after separator: ======================================================================= Roumen Petrov Sofia, Bulgaria Thu Nov 21 2002 How to use x509certificates with OpenSSH? 1.) server configuration: 1.1.) .../sshd_config CACertificateFile /etc/ssh/ca/ca-bundle.crt The CACertificateFile should contain multiple certificates in PEM format concatenated together. You can get a copy from openssl, apache, KDE, mutt, etc. packages. Original file might is exported from Netscape certificate database and one download URL is: http://www.modssl.org/contrib/ca-bundle.crt.tar.gz CACertificatePath /etc/ssh/ca/crt CACertificatePath is a directory of trusted certificates. The certificates(files) should have name of the form: hash. or have symbolic links to them of this form. Hash is result from command like this: $ openssl x509 -in path_to_file_with_cert -noout -hash HostKey ... Now hostkey can contain private key and x509 certificate. 1.2.) append in USER_HOME/.ssh/authorized_keys a record with following format: where: KEY_TYPE:=x509v3-sign-rsa|x509v3-sign-dss (case sensitive !) WORDDN:={Distinguished Name| Distinguished-Name| Distinguished_Name| DistinguishedName| DN| Subject} WORDDNSUFF:='='|':'|'' Notes: - WORDDN is case insensitive ! - "Distinguished Name"/Subject is equal to output from command: $ openssl x509 -noout -subject -in A_CERTIFICATE_FILE Shell sample: $ printf '%s' "x509v3-sign-rsa "; openssl x509 -noout -subject \ -in A_CERTIFICATE_FILE \ >> PATH_TO_USER_HOME/.ssh/authorized_keys NOTES: - adjust user authorized_keys file ownership - user must have at least read access. - SecSH x509v3 key type is "x509v3-sign-rsa" or "x509v3-sign-dss". - currently distinguished name in RFC2253 format is not supported ! Command is: $ openssl x509 -noout -subject -in A_CERTIFICATE_FILE -nameopt RFC2253 2.) client settings: 2.1.) IdentityFile Depends from client. To use x509 certificate "OpenSSH id-file" must contain both sections - private key and certificate: -----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- NOTE: Don`t forget to update public key file with command: $ ssh-keygen -y -f KEY_FILE_NAME > KEY_FILE_NAME.pub Command ssh-add use public key file! 2.2.) global ssh_config or $HOME/.ssh/config Check options [User]CACertificatePath and [User]CACertificateFile. Same as p. 1.1. All four option are for "x509 store". "x509 store" is used to verify server hostkey. Note: When we use own CA we must import CA certificate[s] to "x509 store". More info on: http://satva.skalasoft.com/~rumen/domino_CA/#dca2bundle 3.) test x509 certificates. 3.1.) In openssh build dir run "make check". If x509 test scripts fail edit OPENSSH_SOURCE_PATH/tests/CA/config file. Variables is config file: 3.1.1) main variables: - SUDO: on some system sshd must be started as root. if necessary set variable to sudo and configure sudo'ers. - OPENSSL: path to openssl. if necessary set variable. - TMPDIR: directory for temporary files. defailt is "/tmp". 3.1.2) server section: Read sshd_config.5 manual page for valid values. - SSHSERVER_USEPRIVILEGESEPARATION: sshd "UsePrivilegeSeparation" option. if necessary set to "no", to disable privilege separation. - SSHSERVER_SYSLOGFACILITY=LOCAL1 sshd "SyslogFacility" option. - SSHSERVER_LOGLEVEL=INFO sshd 'LogLevel' option. 3.1.3) section related to certificates: - RSA_DIGEST_LIST: List with RSA digests in support of openssl. Check list and select. 3.2.) Current test scripts use only rsa as server hostkey. To test sshd with x509 certificate please find in file openssh_tests.sh variable TEST_SSHD_HOSTKEY and change it. Sample: TEST_SSH_HOSTKEY="${CWD}/testhostkey_rsa-rsa_md5" 3.3.) Test SecSH from "Microsoft Windows OSes". This is not part of document. Tip: use testid_*.p12 files created after make check from directory OPENSSH_BUILD_PATH/tests/CA. and read related SecSH client manuals. DON`T FORGET TO REMOVE entries from "Windows keystore" after test! 3.4.) Go to OPENSSH_BUILD_PATH/tests/CA and run command "make clean" to remove all client/server and CA files. 3.5.) files in OPENSSH_SOURCE_PATH/tests/CA directory: config : configuration file 1-cre_cadb.sh: create "Test CA" directories and files. 2-cre_cakeys.sh: create "Test CA" private keys and certificates. 3-cre_certs.sh: create client/server certificates. this command create files with mask "PATH_TO_KEYFILEn-[.]" , where is in format "rsa_" or "dsa". DIGEST are form variable "RSA_DIGEST_LIST" specified in "config" file. Files without extention are openssh identity or hostkey files. File with .pub extention contain openssh public key (BLOB format). File with .crt extention contain openssl "text output" for identity files. File with .p12 extention are for "Microsoft Windows keystore". verify.sh: to check certificates against "Test CA". Note: check only testid_*.crt and testhostkey_*.crt files in current directory. functions: common usefull functions openssh_tests.sh: main test script - call other testscripts. test-blob_auth.sh.inc, test-dn_auth_file.sh.inc, test-dn_auth_path.sh.inc: see DESCRIPTION in each file. Enjoy ;-)