[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Mar 17 23:33:20 EET 2017

Hi Jose,

ssh_x509 at roumenpetrov.info wrote:
> Roumen,
> I went ahead and rebuilt the server and client machines and only
> uncommented CACertificatePath in /opt/pkixssh/etc/sshd_config and added
> Port 2222 on server.local and uncommented CACertificatePath in
> /opt/pkixssh/etc/ssh_config on client.local only.
> I also ran p11too on client.local and here's the output:
> [SNIP]
> Here's the output of server.local:
> [SNIP]
> debug1: userauth-request for user sc_jose service ssh-connection method
> none [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug1: userauth-request for user sc_jose service ssh-connection method
> publickey [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
> RSA+cert SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg [preauth]
> debug1: temporarily_use_uid: 1000/1000 (e=0/0)
> debug1: trying public key file /home/sc_jose/.ssh/authorized_keys
> debug1: Could not open authorized keys
> '/home/sc_jose/.ssh/authorized_keys': No such file or directory
> debug1: restore_uid: 0/0
> Failed publickey for sc_jose from port 45926 ssh2: RSA+cert
> SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg
On server side authorized keys file is required. It defines map between 
user and keys.
You have to add a line that describes keys.
RSA+cert in log above mean X.509 certificate with RSA algorithm.

> [SNIP]
> Here's the output of client.local:
> [SNIP]
> debug1: Next authentication method: publickey
> debug1: Offering RSA+cert public key: /usr/lib64/libcoolkeypk11.so
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
Client sends unsigned(!) request with X.509 certificate. 
Key(Certificate) is rejected by server (not authorized in sample). 
Client will try next key or method.


In brief canonical name or principal name are not used neither in 
authentication nor in authorization.
For PKIX-SSH you should describe in "authorized keys file" allowed keys.


Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list