[ssh_x509] How to Authenticate to Non-X.509 SSH Servers

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jul 16 00:48:39 EEST 2015

ssh_x509 at roumenpetrov.info wrote:
> On 07/15/2015 02:46 PM, ssh_x509 at roumenpetrov.info wrote:
>> ssh_x509 at roumenpetrov.info wrote:
>>> All / Roumen,
>>>     If I understand this correctly, this is something I have to
>>> manually specify for every server (obviously, optionally in the
>>> .ssh/config file) ?
>> Its depend from environment. Based on some requests in the past in
>> corporate network only X.509 keys are acceptable.
> I don't understand this response to my question, but I'll take it as a 
> "Yes, you must manually specify it per host because the software 
> doesn't try to help you do this."
>>> That is a huge breakage to me (since it's the first thing I noticed).
>> It most or servers support only "plain" public key  you could set
>> PubkeyAlgorithms in Host * section.
> This just means I have to manually specify the other way per host, 
> there's no gain here over specifying it the other way around.
Manual configuration is preferred to limit algorithms.
Otherwise client could exceed MaxAuthTries (6 by default) with attempts 
for "fail-back" algorithms.
>>> Once I'm on a host that doesn't talk PKIXSSH, it doesn't appear it can
>>> access my RSA public key in my (forwarded) agent.  Is this expected ?
>> In should work as protocol is same. Did you mean servers with Tectia or
>> SUN ssh implementation?
> OpenSSH 6.8p1
> When I do SSH to a host that has OpenSSH (version 6.8p1), and it tries 
> to talk to my forwarded agent it gets real confused and doesn't 
> actually work.
> laptop$ ssh-add -l
> 2048 SHA256:E+Yy2LLGsS9ADqOod1QrOuqHWE3i+9OQpljqrGAc080 
> /opt/appfs/rkeene.org/cackey/platform/latest/lib/libcackey.so (RSA+cert)
> laptop$ ssh root at server
> server# ssh-add -l
> error fetching identities for protocol 2: invalid format
> The agent has no identities.
> server# ssh -V
> OpenSSH_6.8p1, OpenSSL 1.0.2a-fips 19 Mar 2015
> server#
Actually in agent is stored X.509 key - (RSA+cert) not plain rsa. So 
forX.509 keys error is expected.
It seems to me correction for  bz#2234 (6.7) is not enough :(.
Even if user store plain rsa key, agent may not work as expected 
according to last bug comment.
I'm not sure if this issue could be fixed in PKIX-SSH.


More information about the ssh_x509 mailing list