[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Feb 10 12:01:58 EET 2014


Hi Roumen,

I have attached my server and client certs with complete configuration, i
also tested with other slef signed and valid certs but still no success :(

Error:
ssh_x509store_cb: subject='CN=ssh-server-ecc.com', error 20 at 0 depth
lookup:unable to get local issuer certificate
ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
certificate'
key_verify failed for server_host_key


Server SSHD_CONFIG:
Protocol 2
HostKey /root/certs/server/ssh-server-merg.pem
CACertificateFile /root/certs/server/cacert.pem
AllowedCertPurpose any
KeyAllowSelfIssued yes
CACertificatePath /root/certs/server
VAType none
AuthorizedKeysFile      .ssh/authorized_keys
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/local/libexec/sftp-server

authorized_keys File:
x509v3-ecdsa-sha2-nistp256 subject=CN=ssh-server-ecc.com

Client SSHD_CONFIG:
Protocol 2
HostKey /root/certs/client/ssh-client-merg.pem
CACertificateFile /root/certs/client/cacert.pem
AllowedCertPurpose any
KeyAllowSelfIssued yes
CACertificatePath /root/certs/client
VAType none
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/local/libexec/sftp-server


Regards,
Mudassir Aftab


On Sun, Feb 9, 2014 at 2:41 AM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Mudassir
>
> Now I have time to process my mail box.
>
>
> ssh_x509 at roumenpetrov.info wrote:
>
>> Hi Roumen,
>>
>> Many thanks for  writing ECC X509 beta patch and prompt reply.  I am
>> getting following error
>>
>> ssh_x509store_cb:
>> subject='CN=ssh-x509.confidential.net,OU=admin,O=confidential',
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
>> certificate'
>> key_verify failed for server_host_key
>>
> I'm not sure that error is related to ECC support .
> At least root certificate must be located in CACertificateFile or
> CACertificatePath.
> Note User... configuration in addtion for client.
>
>
>
>  Also its seems that patches are already applied in pkixssh-8.0b0, please
>> correct me if i am wrong. Also find detailed logs and config in attached
>> file.
>>
> Yes,
>
>  Regards,
>> Mudassir Aftab
>>
>
>
> Roumen
>
>
> --
> Get X.509 certificates support in OpenSSH:
> http://roumenpetrov.info/openssh/
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list