[ssh_x509] Authenticating the host

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Sep 27 22:49:55 EEST 2012


Hi,

I am trying to understand the use of certificates with OpenSSH.  I have
successfully authenticated both user and host using SSH certificates and am
now trying to repeat this with X509 certifciates.

I am using openssh-6.1p1 and openssh-6.1p1+x509-7.2.1.diff on CentOS 6.3.
These are installed in /usr/local and I use explicit paths to the binaries.

My problem is that although I can successfully authenticate the user (so I do
not need to give a password or set the remote public key) I cannot
authenticate the host.  When I try I see the following message:

 The authenticity of host '[spyrus.europa2189]:2222 ([::1]:2222)' can't be
 established.
 RSA+cert key fingerprint is c8:b6:d9:77:9e:8a:a1:95:fd:fb:d9:95:7e:52:e8:90.
 Distinguished name is
 'CN=spyrus.europa2189,C=FR,emailAddress=toto at mycompany.com,O=mycompany'.
 Are you sure you want to continue connecting (yes/no)?

It seems that I am almost there - the server certificate info is clearly
available to the client, but either something is not happening or I am
misunderstanding what should happen (I expect to be able to connect without
seeing this message).

The .ssh/config file contains a single line:

 UserCACertificateFile /home/ssi/test-x509-certs/cert-both/user-ca/cacert.pem

and the cacert.pem identified exists and is the CA certificate that was used
to sign the server certificate (this is read OK - see enclosed logs).

I have been following instructions at
http://forums.gentoo.org/viewtopic-t-441064.html (but also looking through
your README.x509 and the man pages).  I have also tried various things that I
have not explained here (because they didn't work!).

I will include logs from both client and server (I am testing on a single
machine, but am avoiding standard config file locations and using explicit
config, so I do not expect problems from that).

Any advice on what I need to do to get this working would be appreciated.

I can provide more info, like the commands I used, but I am unsure how much is
needed or what is relevant, so please ask.

Thanks (and thanks for the x509 patch in general - if I can get this working,
and the engine integration works too, it will be a huge help),

Andrew



More information about the ssh_x509 mailing list