[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Mar 14 16:52:23 EET 2017


Greetings.

It seems I’m missing something fundamental in getting X.509 certificates to
work with PIN prompt. Below are the steps I used to try to get X.509 with
PIN prompt to work.

1) Create 2 machines and install latest CentOS 7 minimal ISO. One machine
is called server.local, the other called client.local
2) Get latest PKIXSSH tarball for both machined
3) Run ./configure —prefix=/opt/pkixssh —enable-pkcs11 on both machines
4) Run make install on both machines
5) Run yum install opensc
6) Plug in USB smart card reader and run opensc-tool -l and opens-tool -n
on client.local machine to confirm cert on card
7) Copy root and intermediate certs to /opt/pkixssh/etc/ca/crt directory
and run openssl x509 -noout -hash -in <root|intermediate> certs. Run ln -s
root.crt <hash>.0 and ln -s int.crt <hash>.0 on both machines
8) Edit server.local /opt/pkixssh/etc/sshd_config options explicity:
CACertificatePath /opt/pkixssh/etc/ca/crt, PubkeyAuthentication yes,
PasswordAuthentication no,  ChallengeResponseAuthentication no
9) Edit client.local /opt/pkixssh/etc/ssh_config explicity:
CACertificatePath /opt/pkixssh/etc/ca/crt
10) On server.local, create local account with same name as CN on
certificate
10) On server.local, run /opt/pkixssh/sbin/sshd -D
11) On client.local, run /opt/pkixssh/bin/ssh I /usr/lib64/opensc-pkcs11.so
<server-local-account>@192.168.1.1
12) I do not get a request to enter the PIN for the smart card

Obviously, I’m missing something fundamental here. If it matters, I was
able to get X.509 to work using ssh <dot> com <http://ssh.com/> server and
client software with a PIN prompt.

Does anyone have a working sshd_config.conf and ssh_config.conf working
with X.509 and prompts for the PIN on the smart card?

If need be, I can post the entire sshd_config.conf and ssh_config.conf
files.

Thanks for the help!

Jose



More information about the ssh_x509 mailing list