[ssh_x509] vx509-7.4.1 - Unexpected behaviour of X509KeyAlgorithm / Purpose of CACertificatePAth

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 21 19:37:05 EEST 2013


> I am a bit confused about certain behaviour of the tool. Would be
> grateful if someone could give me some hints on the following questions:
> 1) All of my certificates (including the CA itself) are signed using rsa
> with md5. If I use 'X509KeyAlgorithm x509v3-sign-rsa, rsa-md5' login
> fails with the following error message:
> ssh_x509_verify: md=rsa-md5, loc=0
> ssh_x509_verify: failed for all digests
> If I instead use x509v3-sign-rsa, rsa-sha1 it works properly. Whats the
> point with that? Am I missing something?
This is option for both sides client and server.
First listed signature algorithm is used in signing operation.
All listed are used in verification.
I guess that on server side configuration is default , i.e. with sha1.

You could change serve to following and you will see result:
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1

Note this option is for interoperability with some commercial ssh clients
and servers.

> 2) What is the purpose of CACertificatePath? I already have a list of
> CA's which I trust specified with CACertificateFile. Regardless of its
> content it does nothing in my case. I tried to use it standalone without
> CACertificateFile and got validation errors.
One is "*directory of trusted certificates"* other is "*file of trusted 
Please see for details 
http://roumenpetrov.info.localhost/domino_CA/#dca2ssl .

> 3) I've seen that its possible to store the CA's and revocation lists in
> a directory service. Is that also possible for User Certfificates?

It was in scope of "LPK" (OpenSSH LDAP Public Key patch) but now is not 
maintained any more.

> Kind regards
> Sebastian


Get X.509 certificates support in OpenSSH:

More information about the ssh_x509 mailing list