[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Mar 16 00:57:45 EET 2017

Hi Jose ,
ssh_x509 at roumenpetrov.info wrote:
> Greetings.
> It seems I’m missing something fundamental in getting X.509 certificates to
> work with PIN prompt. Below are the steps I used to try to get X.509 with
> PIN prompt to work.
> 1) Create 2 machines and install latest CentOS 7 minimal ISO. One machine
> is called server.local, the other called client.local
> 2) Get latest PKIXSSH tarball for both machined
> 3) Run ./configure —prefix=/opt/pkixssh —enable-pkcs11 on both machines
enable-pkcs11 was removed long time ago.

> 4) Run make install on both machines
> 5) Run yum install opensc
> 6) Plug in USB smart card reader and run opensc-tool -l and opens-tool -n
> on client.local machine to confirm cert on card
> 7) Copy root and intermediate certs to /opt/pkixssh/etc/ca/crt directory
> and run openssl x509 -noout -hash -in <root|intermediate> certs. Run ln -s
> root.crt <hash>.0 and ln -s int.crt <hash>.0 on both machines
> 8) Edit server.local /opt/pkixssh/etc/sshd_config options explicity:
> CACertificatePath /opt/pkixssh/etc/ca/crt, PubkeyAuthentication yes,
> PasswordAuthentication no,  ChallengeResponseAuthentication no
> 9) Edit client.local /opt/pkixssh/etc/ssh_config explicity:
> CACertificatePath /opt/pkixssh/etc/ca/crt
> 10) On server.local, create local account with same name as CN on
> certificate
> 10) On server.local, run /opt/pkixssh/sbin/sshd -D
> 11) On client.local, run /opt/pkixssh/bin/ssh I /usr/lib64/opensc-pkcs11.so
> <server-local-account>@
Everything sounds correct .
> 12) I do not get a request to enter the PIN for the smart card
> [SNIP]
> Does anyone have a working sshd_config.conf and ssh_config.conf working
> with X.509 and prompts for the PIN on the smart card?
Server or client configuration is not related to 'pin prompt'.
Right now I have no idea way PIN prompt does not work.

> If need be, I can post the entire sshd_config.conf and ssh_config.conf
> files.
> Thanks for the help!
> Jose


More information about the ssh_x509 mailing list