[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Mar 17 23:33:20 EET 2017


Hi Jose,

ssh_x509 at roumenpetrov.info wrote:
> Roumen,
>
> I went ahead and rebuilt the server and client machines and only
> uncommented CACertificatePath in /opt/pkixssh/etc/sshd_config and added
> Port 2222 on server.local and uncommented CACertificatePath in
> /opt/pkixssh/etc/ssh_config on client.local only.
>
> I also ran p11too on client.local and here's the output:
> [SNIP]
>
> Here's the output of server.local:
> [SNIP]
> debug1: userauth-request for user sc_jose service ssh-connection method
> none [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug1: userauth-request for user sc_jose service ssh-connection method
> publickey [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
> RSA+cert SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg [preauth]
> debug1: temporarily_use_uid: 1000/1000 (e=0/0)
> debug1: trying public key file /home/sc_jose/.ssh/authorized_keys
> debug1: Could not open authorized keys
> '/home/sc_jose/.ssh/authorized_keys': No such file or directory
> debug1: restore_uid: 0/0
> Failed publickey for sc_jose from 192.168.240.136 port 45926 ssh2: RSA+cert
> SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg
On server side authorized keys file is required. It defines map between 
user and keys.
You have to add a line that describes keys.
RSA+cert in log above mean X.509 certificate with RSA algorithm.

> [SNIP]
>
> Here's the output of client.local:
> [SNIP]
> debug1: Next authentication method: publickey
> debug1: Offering RSA+cert public key: /usr/lib64/libcoolkeypk11.so
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
Client sends unsigned(!) request with X.509 certificate. 
Key(Certificate) is rejected by server (not authorized in sample). 
Client will try next key or method.

[SNIP]

In brief canonical name or principal name are not used neither in 
authentication nor in authorization.
For PKIX-SSH you should describe in "authorized keys file" allowed keys.


Regards,
Roumen


-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/





More information about the ssh_x509 mailing list