[ssh_x509] Logging in case of X.509 authentication

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Mar 3 11:14:08 EET 2014


Hi Roumen,

I have tried with many different ECC base certs and with latest packages, i
think SSH x509 is not reading ECC base certs.

List of errors:
debug1: Can't process default engine config file: No such file or directory

debug3: x509key_parse_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)

debug3: Could not load "ssh-x509-client-merg.pem" as a RSA1 public key

debug3: ssh_x509store_verify_cert: for 'CN=ssh-x509.xyz.net,OU=admin,O=xyz'
ssh_x509store_cb: subject='CN=ssh-x509.xtz.net,OU=admin,O=xyz', error 20 at
0 depth lookup:unable to get local issuer certificate
ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
certificate'
debug3: ssh_x509store_verify_cert: return -1(error)
debug3: ssh_x509_verify: return -1
key_verify failed for server_host_key


Regards,
Mudassir Aftab


On Mon, Feb 10, 2014 at 3:02 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Debug Mode:
> debug2: load_server_config: filename /usr/local/etc/sshd_config
> debug2: load_server_config: done config len = 514
> debug2: parse_server_config: config /usr/local/etc/sshd_config len 514
> debug3: /usr/local/etc/sshd_config:19 setting Protocol 2
> debug3: /usr/local/etc/sshd_config:29 setting HostKey
> /root/certs/server/ssh-server-merg.pem
> debug3: /usr/local/etc/sshd_config:30 setting CACertificateFile
> /root/certs/server/cacert.pem
> debug3: /usr/local/etc/sshd_config:49 setting AllowedCertPurpose any
> debug3: /usr/local/etc/sshd_config:54 setting KeyAllowSelfIssued yes
> debug3: /usr/local/etc/sshd_config:67 setting CACertificatePath
> /root/certs/server
> debug3: /usr/local/etc/sshd_config:98 setting VAType none
> debug3: /usr/local/etc/sshd_config:124 setting AuthorizedKeysFile
> .ssh/authorized_keys
> debug3: /usr/local/etc/sshd_config:180 setting UsePrivilegeSeparation
> sandbox
> debug3: /usr/local/etc/sshd_config:196 setting Subsystem sftp
> /usr/local/libexec/sftp-server
> debug2: hash dir '/root/certs/server' added to x509 store
> debug2: file '/root/certs/server/cacert.pem' added to x509 store
> debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
> debug1: ssh_set_validator: ignore responder url
> debug1: sshd version OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key begin
> debug1: read X.509 certificate begin
> debug1: read X.509 certificate done: type ECDSA+cert
> debug1: read PEM private key done: type ECDSA+cert
> debug3: key_load_public(/root/certs/server/ssh-server-merg.pem,...)
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/root/certs/server/ssh-server-merg.pem" as a RSA1
> public key
> debug1: private host key: #0 type 3 ECDSA+cert
> debug1: rexec_argv[0]='/usr/local/sbin/sshd'
> debug1: rexec_argv[1]='-dddd'
> debug3: oom_adjust_setup
> Set /proc/self/oom_score_adj from 0 to -1000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 8 config len 514
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.0.0.123 port 40926 on 10.0.0.221 port 22
> debug1: Client protocol version 2.0; client software version OpenSSH_6.5
> PKIX
> debug1: match: OpenSSH_6.5 PKIX pat OpenSSH* compat 0x04000000
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.5 PKIX
> debug2: fd 3 setting O_NONBLOCK
> debug3: ssh_sandbox_init: preparing seccomp filter sandbox
> debug2: Network child is on pid 4094
> debug3: preauth child monitor started
> debug3: privsep user:group 105:65534 [preauth]
> debug1: permanently_set_uid: 105/65534 [preauth]
> debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
> debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
> debug1: list_hostkey_types:
>
> x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521
> [preauth]
> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: SSH2_MSG_KEXINIT received [preauth]
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> [preauth]
> debug2: kex_parse_kexinit:
>
> x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521
> [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
>
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
>
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
> debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
> debug2: kex_parse_kexinit: reserved 0  [preauth]
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> [preauth]
> debug2: kex_parse_kexinit:
>
> x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,
> ecdsa-sha2-nistp384-cert-v01 at openssh.com,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com
>
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-sign-rsa,x509v3-sign-dss,
> ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,
> ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,
> ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
>
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
>
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib [preauth]
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
> debug2: kex_parse_kexinit: reserved 0  [preauth]
> debug2: mac_setup: found hmac-md5-etm at openssh.com [preauth]
> debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
> [preauth]
> debug2: mac_setup: found hmac-md5-etm at openssh.com [preauth]
> debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
> [preauth]
> debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
> debug3: mm_key_sign entering [preauth]
> debug3: mm_request_send entering: type 6 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 6
> debug3: mm_answer_sign
> debug3: ssh_x509_sign: key_type=ECDSA+cert,
> key_ssh_name=x509v3-ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: alg=x509v3-ecdsa-sha2-nistp256,
> md=ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: keylen=72, siglen=72
> debug3: ssh_x509_sign: signame=x509v3-ecdsa-sha2-nistp256
> debug3: ssh_x509_sign: return 0
> debug3: mm_answer_sign: signature 0xfdc340(106)
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
> debug3: mm_request_receive_expect entering: type 7 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug2: kex_derive_keys [preauth]
> debug2: set_newkeys: mode 1 [preauth]
> debug1: SSH2_MSG_NEWKEYS sent [preauth]
> debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> Connection closed by 10.0.0.123 [preauth]
> debug1: do_cleanup [preauth]
> debug3: mm_request_receive entering
> debug1: do_cleanup
> debug1: Killing privsep child 4094
>
>
>
> On Mon, Feb 10, 2014 at 3:01 PM, Mudassir Aftab <withmudassir at gmail.com
> >wrote:
>
> > Hi Roumen,
> >
> > I have attached my server and client certs with complete configuration, i
> > also tested with other slef signed and valid certs but still no success
> :(
> >
> > Error:
> > ssh_x509store_cb: subject='CN=ssh-server-ecc.com', error 20 at 0 depth
> > lookup:unable to get local issuer certificate
> >
> > ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> > certificate'
> > key_verify failed for server_host_key
> >
> >
> > Server SSHD_CONFIG:
> > Protocol 2
> > HostKey /root/certs/server/ssh-server-merg.pem
> > CACertificateFile /root/certs/server/cacert.pem
> > AllowedCertPurpose any
> > KeyAllowSelfIssued yes
> > CACertificatePath /root/certs/server
> > VAType none
> > AuthorizedKeysFile      .ssh/authorized_keys
> > UsePrivilegeSeparation sandbox          # Default for new installations.
> > Subsystem       sftp    /usr/local/libexec/sftp-server
> >
> > authorized_keys File:
> > x509v3-ecdsa-sha2-nistp256 subject=CN=ssh-server-ecc.com
> >
> > Client SSHD_CONFIG:
> > Protocol 2
> > HostKey /root/certs/client/ssh-client-merg.pem
> > CACertificateFile /root/certs/client/cacert.pem
> > AllowedCertPurpose any
> > KeyAllowSelfIssued yes
> > CACertificatePath /root/certs/client
> > VAType none
> > PubkeyAuthentication yes
> > AuthorizedKeysFile      .ssh/authorized_keys
> > UsePrivilegeSeparation sandbox          # Default for new installations.
> > Subsystem       sftp    /usr/local/libexec/sftp-server
> >
> >
> > Regards,
> > Mudassir Aftab
> >
> >
> > On Sun, Feb 9, 2014 at 2:41 AM, <ssh_x509 at roumenpetrov.info> wrote:
> >
> >> Hi Mudassir
> >>
> >> Now I have time to process my mail box.
> >>
> >>
> >> ssh_x509 at roumenpetrov.info wrote:
> >>
> >>> Hi Roumen,
> >>>
> >>> Many thanks for  writing ECC X509 beta patch and prompt reply.  I am
> >>> getting following error
> >>>
> >>> ssh_x509store_cb:
> >>> subject='CN=ssh-x509.confidential.net,OU=admin,O=confidential',
> >>> error 20 at 0 depth lookup:unable to get local issuer certificate
> >>> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> >>> certificate'
> >>> key_verify failed for server_host_key
> >>>
> >> I'm not sure that error is related to ECC support .
> >> At least root certificate must be located in CACertificateFile or
> >> CACertificatePath.
> >> Note User... configuration in addtion for client.
> >>
> >>
> >>
> >>  Also its seems that patches are already applied in pkixssh-8.0b0,
> please
> >>> correct me if i am wrong. Also find detailed logs and config in
> attached
> >>> file.
> >>>
> >> Yes,
> >>
> >>  Regards,
> >>> Mudassir Aftab
> >>>
> >>
> >>
> >> Roumen
> >>
> >>
> >> --
> >> Get X.509 certificates support in OpenSSH:
> >> http://roumenpetrov.info/openssh/
> >>
> >>
> >> _______________________________________________
> >> ssh_x509 mailing list
> >> ssh_x509 at roumenpetrov.info
> >> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> >>
> >
> >
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list