[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Feb 16 10:50:11 EET 2014


Hi Roumen,

Finally I have tested  SSH with ECC certs. I was missing client site config
/usr/local/etc/ssh_config, i was doing configuration in sshd_config only.

VAType ocspspec
VAOCSPResponderURL
http://internal-ocsp.dev.confidential.net:8080/ejbca/publicweb/status/ocsp
AllowedCertPurpose sslserver
CACertificateFile /root/client-certs/CA.pem
CACertificatePath /root/client-certs

I can see logs in OCSP ServeR for both client and server

08:07:12,320 INFO  [OCSPServletBase] Received OCSP request for certificate
with serNo: 6d540afd3970b7a9, and issuerNameHash:
6ba06bce59c259b7e641e99db9b8c6cef0444613. Client ip 10.0.0.223.
08:07:12,476 INFO  [OCSPServletBase] Adding status information (good) for
certificate with serial '6d540afd3970b7a9' from issuer
'CN=AdminCA1,OU=admin,O=upaga'.
08:07:12,543 INFO  [OCSPServletBase] Received OCSP request for certificate
with serNo: 246af0fd803a3fee, and issuerNameHash:
6ba06bce59c259b7e641e99db9b8c6cef0444613. Client ip 10.0.0.224.
08:07:12,675 INFO  [OCSPServletBase] Adding status information (good) for
certificate with serial '246af0fd803a3fee' from issuer
'CN=AdminCA1,OU=admin,O=upaga'.
08:07:12,733 INFO  [OCSPServletBase] Received OCSP request for certificate
with serNo: 246af0fd803a3fee, and issuerNameHash:
6ba06bce59c259b7e641e99db9b8c6cef0444613. Client ip 10.0.0.224.
08:07:12,983 INFO  [OCSPServletBase] Adding status information (good) for
certificate with serial '246af0fd803a3fee' from issuer
'CN=AdminCA1,OU=admin,O=upaga'


Many Many Thanks Roumen for all your support

Also how can i enable to smart card support using pkcs11 and opensc
                 Smartcard support:

Also i have network LDAP server for SSH auth, i want to use it with NSCD
and with SSHD config option AllowGroups, what do you suggest ?

Shell i need to enable following option for NSCD

                  LDAP queries: no

Regards,
Mudassir Aftab



On Sat, Feb 15, 2014 at 9:44 PM, <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
>
>> I am getting following error with beta ecc complied package, please advice
>>
>> [SNIP]
>>
>> debug1: Host 'ssh-x509' is known and matches the ECDSA+cert host key.
>> debug1: Found key in /root/.ssh/known_hosts:1
>> debug3: ssh_x509_verify: signature format = x509v3-ecdsa-sha2-nistp256
>> debug3: ssh_x509_verify: md=ecdsa-sha2-nistp256, loc=4
>> debug3: ssh_x509store_verify_cert: for 'CN=ssh-x509.confidential.net
>> ,OU=admin,O=confidential'
>> ssh_x509store_cb:
>> subject='CN=ssh-x509.confidential.net,OU=admin,O=confidential',
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
>> certificate'
>> debug3: ssh_x509store_verify_cert: return -1(error)
>> debug3: ssh_x509_verify: return -1
>> key_verify failed for server_host_key
>>
> a) Certificate cannot be self issued.
> b) You could test certificates in you "x509 store" with openssl verify
> command with -CApath  and -CAfile pointing to the same locations as in ssh
> configuration .
>
> I don't know you certificate chain to tell you where to put certificates
> from chain .
>
> Where is issuer certificate of  of "CN=ssh-x509.confidential.net,OU=admin,O=confidential"
>  ? Is located in host key  or in client "x509 store" ?
>
>
>
>  Regards,
>> Mudassir Aftab
>>
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list