[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Feb 15 12:59:08 EET 2014


Hi Mudassir,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
>
> You are correct that above error is not related to ECC, i am getting same
> errror with RSA certs as well
>
> Following is my config:
>
> Server:
>
> Port 22
> ListenAddress 0.0.0.0
> Protocol 2
> HostKey /root/rsa/server-x509.pem
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
> X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
Please avoid above for tests with ECC .
The default adds new for pub. keys x509v3-ecdsa-sha2-nistp256, 
x509v3-ecdsa-sha2-nistp384 and x509v3-ecdsa-sha2-nistp521 if suported by 
openssl library.

> AllowedCertPurpose sslclient
> KeyAllowSelfIssued no
> CACertificateFile /root/rsa/CA.pem
> VAType ocspspec
> VAOCSPResponderURL
> http://internal-ocsp.dev.confidential.net:8080/ejbca/publicweb/status/ocsp
> PermitRootLogin yes
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> UsePrivilegeSeparation sandbox          # Default for new installations.
For initial tests I would recommend do to use privilege separation. 
Without messages will be more helpful

> Subsystem       sftp    /usr/local/libexec/sftp-server
> [13-02-2014 17:01:07] Mudassir Aftab: Client:
> HostKey /root/rsa/client.key
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
> X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
Please do not set X509KeyAlgorithm for test with ECC

[SNIP]

Also self signed host certificates are not supported.


Lets limits test  initial beta version only to nistp256 keys.


Roumen





More information about the ssh_x509 mailing list