[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Feb 10 12:02:31 EET 2014


Debug Mode:
debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 514
debug2: parse_server_config: config /usr/local/etc/sshd_config len 514
debug3: /usr/local/etc/sshd_config:19 setting Protocol 2
debug3: /usr/local/etc/sshd_config:29 setting HostKey
/root/certs/server/ssh-server-merg.pem
debug3: /usr/local/etc/sshd_config:30 setting CACertificateFile
/root/certs/server/cacert.pem
debug3: /usr/local/etc/sshd_config:49 setting AllowedCertPurpose any
debug3: /usr/local/etc/sshd_config:54 setting KeyAllowSelfIssued yes
debug3: /usr/local/etc/sshd_config:67 setting CACertificatePath
/root/certs/server
debug3: /usr/local/etc/sshd_config:98 setting VAType none
debug3: /usr/local/etc/sshd_config:124 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /usr/local/etc/sshd_config:180 setting UsePrivilegeSeparation
sandbox
debug3: /usr/local/etc/sshd_config:196 setting Subsystem sftp
/usr/local/libexec/sftp-server
debug2: hash dir '/root/certs/server' added to x509 store
debug2: file '/root/certs/server/cacert.pem' added to x509 store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug1: read X.509 certificate done: type ECDSA+cert
debug1: read PEM private key done: type ECDSA+cert
debug3: key_load_public(/root/certs/server/ssh-server-merg.pem,...)
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/certs/server/ssh-server-merg.pem" as a RSA1
public key
debug1: private host key: #0 type 3 ECDSA+cert
debug1: rexec_argv[0]='/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-dddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 514
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.0.0.123 port 40926 on 10.0.0.221 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.5
PKIX
debug1: match: OpenSSH_6.5 PKIX pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.5 PKIX
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 4094
debug3: preauth child monitor started
debug3: privsep user:group 105:65534 [preauth]
debug1: permanently_set_uid: 105/65534 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: list_hostkey_types:
x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521
[preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: kex_parse_kexinit:
x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521
[preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se [preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: kex_parse_kexinit:
x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-sign-rsa,x509v3-sign-dss,
ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,
ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,
ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se [preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: mac_setup: found hmac-md5-etm at openssh.com [preauth]
debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
[preauth]
debug2: mac_setup: found hmac-md5-etm at openssh.com [preauth]
debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
[preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: ssh_x509_sign: key_type=ECDSA+cert,
key_ssh_name=x509v3-ecdsa-sha2-nistp256
debug3: ssh_x509_sign: alg=x509v3-ecdsa-sha2-nistp256,
md=ecdsa-sha2-nistp256
debug3: ssh_x509_sign: keylen=72, siglen=72
debug3: ssh_x509_sign: signame=x509v3-ecdsa-sha2-nistp256
debug3: ssh_x509_sign: return 0
debug3: mm_answer_sign: signature 0xfdc340(106)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Connection closed by 10.0.0.123 [preauth]
debug1: do_cleanup [preauth]
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 4094



On Mon, Feb 10, 2014 at 3:01 PM, Mudassir Aftab <withmudassir at gmail.com>wrote:

> Hi Roumen,
>
> I have attached my server and client certs with complete configuration, i
> also tested with other slef signed and valid certs but still no success :(
>
> Error:
> ssh_x509store_cb: subject='CN=ssh-server-ecc.com', error 20 at 0 depth
> lookup:unable to get local issuer certificate
>
> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> certificate'
> key_verify failed for server_host_key
>
>
> Server SSHD_CONFIG:
> Protocol 2
> HostKey /root/certs/server/ssh-server-merg.pem
> CACertificateFile /root/certs/server/cacert.pem
> AllowedCertPurpose any
> KeyAllowSelfIssued yes
> CACertificatePath /root/certs/server
> VAType none
> AuthorizedKeysFile      .ssh/authorized_keys
> UsePrivilegeSeparation sandbox          # Default for new installations.
> Subsystem       sftp    /usr/local/libexec/sftp-server
>
> authorized_keys File:
> x509v3-ecdsa-sha2-nistp256 subject=CN=ssh-server-ecc.com
>
> Client SSHD_CONFIG:
> Protocol 2
> HostKey /root/certs/client/ssh-client-merg.pem
> CACertificateFile /root/certs/client/cacert.pem
> AllowedCertPurpose any
> KeyAllowSelfIssued yes
> CACertificatePath /root/certs/client
> VAType none
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> UsePrivilegeSeparation sandbox          # Default for new installations.
> Subsystem       sftp    /usr/local/libexec/sftp-server
>
>
> Regards,
> Mudassir Aftab
>
>
> On Sun, Feb 9, 2014 at 2:41 AM, <ssh_x509 at roumenpetrov.info> wrote:
>
>> Hi Mudassir
>>
>> Now I have time to process my mail box.
>>
>>
>> ssh_x509 at roumenpetrov.info wrote:
>>
>>> Hi Roumen,
>>>
>>> Many thanks for  writing ECC X509 beta patch and prompt reply.  I am
>>> getting following error
>>>
>>> ssh_x509store_cb:
>>> subject='CN=ssh-x509.confidential.net,OU=admin,O=confidential',
>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
>>> certificate'
>>> key_verify failed for server_host_key
>>>
>> I'm not sure that error is related to ECC support .
>> At least root certificate must be located in CACertificateFile or
>> CACertificatePath.
>> Note User... configuration in addtion for client.
>>
>>
>>
>>  Also its seems that patches are already applied in pkixssh-8.0b0, please
>>> correct me if i am wrong. Also find detailed logs and config in attached
>>> file.
>>>
>> Yes,
>>
>>  Regards,
>>> Mudassir Aftab
>>>
>>
>>
>> Roumen
>>
>>
>> --
>> Get X.509 certificates support in OpenSSH:
>> http://roumenpetrov.info/openssh/
>>
>>
>> _______________________________________________
>> ssh_x509 mailing list
>> ssh_x509 at roumenpetrov.info
>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>
>
>



More information about the ssh_x509 mailing list