[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Feb 6 14:31:00 EET 2014


Hi,

I am applying patch using following command

cat ../7.8-8.0b0/0001-ssh-x509.c-read-and-write-in-RFC6187-key-format.patch
| patch -p 1

I have applied patches without recursive and with recursive mode, I got
following output after running make command.

kex.c:656:1: error: redefinition of âkex_key_match_pkalgâ
kex.c:645:1: note: previous definition of âkex_key_match_pkalgâ was here
kex.c: In function âkex_key_match_pkalgâ:
kex.c:657:14: error: âKexâ has no member named âhostkey_typeâ
kex.c: At top level:
kex.c:677:1: error: redefinition of âkex_load_host_keysâ
kex.c:661:1: note: previous definition of âkex_load_host_keysâ was here
kex.c: In function âkex_load_host_keysâ:
kex.c:686:42: error: âKexâ has no member named âhostkey_typeâ
kex.c:688:43: error: âKexâ has no member named âhostkey_typeâ
kex.c:689:44: error: âKexâ has no member named âhostkey_typeâ
make: *** [kex.o] Error 1

Any one please help me on this

Regards,
Mudassir Aftab


On Wed, Feb 5, 2014 at 2:16 AM, <ssh_x509 at roumenpetrov.info> wrote:

> Also when i use simple key file instead of merg file, i gor following logs.
>
> #HostKey /root/server-certs/ssh-x509-merg.pem
> HostKey /root/server-certs/ssh-x509-key.pem
>
>
> maftab at ssh-x509-client:~$ ssh -vvv -i ssh-x509-client-merg.pem ssh-x509
> OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014
> debug1: Can't process default engine config file: No such file or directory
> debug1: Reading configuration data /usr/local/etc/ssh_config
> debug2: hash dir '/home/maftab/.ssh/crt' added to x509 store
> debug2: hash dir '/home/maftab/.ssh/crl' added to x509 revocation store
> debug2: hash dir '/usr/local/etc/ca/crt' added to x509 store
> debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
> debug1: ssh_set_validator: ignore responder url
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to ssh-x509 [10.0.0.221] port 22.
> debug1: Connection established.
> debug3: key_load_public(ssh-x509-client-merg.pem,...)
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "ssh-x509-client-merg.pem" as a RSA1 public key
> debug1: identity file ssh-x509-client-merg.pem type -1
> debug3: key_load_public(ssh-x509-client-merg.pem-cert,...)
> debug1: identity file ssh-x509-client-merg.pem-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.5 PKIX
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.5
> PKIX
> debug1: match: OpenSSH_6.5 PKIX pat OpenSSH* compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "ssh-x509" from file
> "/home/maftab/.ssh/known_hosts"
> debug3: x509key_from_subject: 3 is not x509 key
> debug3: key_from_blob(..., 104)
> debug3: x509_from_blob: read X509 from BIO fail error:0D0680A8:asn1
> encoding routines:ASN1_CHECK_TLEN:wrong tag
> debug3: x509key_from_blob: no X.509 certificate data
> debug3: key_from_blob(..., ...) ktype=ecdsa-sha2-nistp256
> debug3: load_hostkeys: found key type ECDSA in file
> /home/maftab/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
>
> x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01 at openssh.c
> om,ecdsa-sha2-nistp384-cert-v01 at openssh.com,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-g
> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
>
> x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp3
> 84-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-sign-rsa,x509v3-sign-dss,ssh-ed255
> 19-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,
> ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,
> ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-ds  s
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com,aes128-c
> bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com,aes128-c
> bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2  -512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,umac-128 at openssh.c  om,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2  -512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,umac-128 at openssh.c  om,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-g
> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ecdsa-sha2-nistp256
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com,aes128-c
> bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com,aes128-c
> bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2  -512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,umac-128 at openssh.c  om,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2  -512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,umac-128 at openssh.c  om,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5-etm at openssh.com
> debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
> debug2: mac_setup: found hmac-md5-etm at openssh.com
> debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: key_from_blob(..., 104)
> debug3: x509_from_blob: read X509 from BIO fail error:0D0680A8:asn1
> encoding routines:ASN1_CHECK_TLEN:wrong tag
> debug3: x509key_from_blob: no X.509 certificate data
> debug3: key_from_blob(..., ...) ktype=ecdsa-sha2-nistp256
> debug1: Server host key: ECDSA
> c2:79:82:09:68:e4:0b:1e:b9:3a:f3:2d:e9:c2:83:77
> debug3: load_hostkeys: loading entries for host "ssh-x509" from file
> "/home/maftab/.ssh/known_hosts"
> debug3: x509key_from_subject: 3 is not x509 key
> debug3: key_from_blob(..., 104)
> debug3: x509_from_blob: read X509 from BIO fail error:0D0680A8:asn1
> encoding routines:ASN1_CHECK_TLEN:wrong tag
> debug3: x509key_from_blob: no X.509 certificate data
> debug3: key_from_blob(..., ...) ktype=ecdsa-sha2-nistp256
> debug3: load_hostkeys: found key type ECDSA in file
> /home/maftab/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "10.0.0.221" from file
> "/home/maftab/.ssh/known_hosts"
> debug3: x509key_from_subject: 3 is not x509 key
> debug3: key_from_blob(..., 104)
> debug3: x509_from_blob: read X509 from BIO fail error:0D0680A8:asn1
> encoding routines:ASN1_CHECK_TLEN:wrong tag
> debug3: x509key_from_blob: no X.509 certificate data
> debug3: key_from_blob(..., ...) ktype=ecdsa-sha2-nistp256
> debug3: load_hostkeys: found key type ECDSA in file
> /home/maftab/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug1: Host 'ssh-x509' is known and matches the ECDSA host key.
> debug1: Found key in /home/maftab/.ssh/known_hosts:1
> debug1: ssh_ecdsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: preparing keys
> debug2: key: ssh-x509-client-merg.pem ((nil)), explicit
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: ssh-x509-client-merg.pem
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key begin
> debug1: read X.509 certificate begin
> debug1: read X.509 certificate done: type ECDSA+cert
> debug1: read PEM private key done: type ECDSA+cert
> debug3: sign_and_send_pubkey: x509v3-ecdsa-sha2-nistp256/ECDSA+cert
> 67:ee:ab:37:6a:c8:64:73:88:04:69:b3:d4:c5:69:e9
> x509key_to_blob2: X.509 certificate chain is not set (TODO)
> debug3: ssh_x509_sign: key_type=ECDSA+cert,
> key_ssh_name=x509v3-ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: alg=x509v3-ecdsa-sha2-nistp256,
> md=ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: keylen=72, siglen=72
> debug3: ssh_x509_sign: signame=x509v3-ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: return 0
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
>
>
>
> On Mon, Feb 3, 2014 at 10:45 PM, Mudassir Aftab <withmudassir at gmail.com
> >wrote:
>
> > Hi Roumen,
> >
> > Many thanks for  writing ECC X509 beta patch and prompt reply.  I am
> > getting following error
> >
> > ssh_x509store_cb: subject='CN=ssh-x509.confidential.net
> ,OU=admin,O=confidential',
> > error 20 at 0 depth lookup:unable to get local issuer certificate
> > ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> > certificate'
> > key_verify failed for server_host_key
> >
> > Also its seems that patches are already applied in pkixssh-8.0b0, please
> > correct me if i am wrong. Also find detailed logs and config in attached
> > file.
> >
> > Regards,
> > Mudassir Aftab
> >
> >
> > On Sun, Feb 2, 2014 at 7:14 PM, <ssh_x509 at roumenpetrov.info> wrote:
> >
> >> Hello,
> >>
> >> I just upload a initial beta pack with sources that add support for
> >> x509v3-ecdsa-sha2-* public key algorithm for SSH as is specified in RFC
> >> 6187.
> >>
> >> The compressed archive could be downloaded from
> http://roumenpetrov.info/
> >> openssh/test-packs/pkixssh-8.0b0_20140131.tgz . The tarbal contains
> >> extract from source repository - "pkixssh-8.0b0.tar" and patch set in
> >> subdirectory 7.8-8.0b0.
> >> The pack is only for testing purposes and could be removed at any time.
> >>
> >>
> >> Please review patches for compatibility of implementation with RFC 6187
> .
> >>
> >> To use  x509v3-ecdsa-sha2-* identity file has to contain more then one
> >> certificate - the certificate that match private key and certificates
> that
> >> could be used to construct certificate chain for verification.
> >>
> >>
> >> Regards,
> >> Roumen Petrov
> >>
> >>
> >> _______________________________________________
> >> ssh_x509 mailing list
> >> ssh_x509 at roumenpetrov.info
> >> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> >>
> >
> >
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list