[ssh_x509] How to Authenticate to Non-X.509 SSH Servers

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Jul 13 19:33:18 EEST 2015


All / Roumen,

	If I understand this correctly, this is something I have to manually 
specify for every server (obviously, optionally in the .ssh/config file) ?

That is a huge breakage to me (since it's the first thing I noticed).

Once I'm on a host that doesn't talk PKIXSSH, it doesn't appear it can 
access my RSA public key in my (forwarded) agent.  Is this expected ?

Thanks,
	Roy Keene

On 07/12/2015 04:03 AM, ssh_x509 at roumenpetrov.info wrote:
> ssh_x509 at roumenpetrov.info wrote:
>> All,
>>
>>     I just started using PKIX-SSH and have been able to configure it
>> locally to talk to a remote SSH server running PKIX-SSH via a
>> smartcard accessed through a PKCS#11 module.
>>
>> However, when I try to use my agent to talk to an SSH server that does
>> not support PKIX-SSH I am unable to authenticate with the
>> public-key-only.  I get the following error:
>>     sshd[15416]: userauth_pubkey: unsupported public key algorithm:
>> x509v3-sign-rsa [preauth]
>>
>> What is the intended way for users to authenticate to Non-PKIX-SSH
>> servers as well as PKIX-SSH servers using the same agent (while using
>> PKCS#11) ?
>
> Options PubkeyAlgorithms allows failback to "plain" keys. For
> x509v3-sign-rsa "plain" is ssh-rsa.
> If you start client with -o PubkeyAlgorithms=ssh-rsa you should be able
> to connect to server using ssh-rsa public key algorithm.
>
>>
>> Thanks,
>>     Roy Keene
>>
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info




More information about the ssh_x509 mailing list