[ssh_x509] How to Authenticate to Non-X.509 SSH Servers

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jul 16 00:07:02 EEST 2015




On 07/15/2015 02:46 PM, ssh_x509 at roumenpetrov.info wrote:
> ssh_x509 at roumenpetrov.info wrote:
>> All / Roumen,
>>
>>     If I understand this correctly, this is something I have to
>> manually specify for every server (obviously, optionally in the
>> .ssh/config file) ?
> Its depend from environment. Based on some requests in the past in
> corporate network only X.509 keys are acceptable.

I don't understand this response to my question, but I'll take it as a 
"Yes, you must manually specify it per host because the software doesn't 
try to help you do this."

>>
>> That is a huge breakage to me (since it's the first thing I noticed).
> It most or servers support only "plain" public key  you could set
> PubkeyAlgorithms in Host * section.
>

This just means I have to manually specify the other way per host, 
there's no gain here over specifying it the other way around.

>>
>> Once I'm on a host that doesn't talk PKIXSSH, it doesn't appear it can
>> access my RSA public key in my (forwarded) agent.  Is this expected ?
> In should work as protocol is same. Did you mean servers with Tectia or
> SUN ssh implementation?
>

OpenSSH 6.8p1

When I do SSH to a host that has OpenSSH (version 6.8p1), and it tries 
to talk to my forwarded agent it gets real confused and doesn't actually 
work.

laptop$ ssh-add -l
2048 SHA256:E+Yy2LLGsS9ADqOod1QrOuqHWE3i+9OQpljqrGAc080 
/opt/appfs/rkeene.org/cackey/platform/latest/lib/libcackey.so (RSA+cert)
laptop$ ssh root at server
server# ssh-add -l
error fetching identities for protocol 2: invalid format
The agent has no identities.
server# ssh -V
OpenSSH_6.8p1, OpenSSL 1.0.2a-fips 19 Mar 2015
server#

>>
>> Thanks,
>>     Roy Keene
>
> Regards
> Roumen Petrov
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info




More information about the ssh_x509 mailing list