[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 12 22:03:23 EEST 2017


After a lot of banging my head against the desk, I was finally able to get
X.509 certs working. The issue was that the certs on the server were in DER
format instead of PEM format.

One more question:

Is there anything in sshd_config I can configure to have the PKIX-SSH
server only accept RSA+cert SHA256 authentication only?

The reason I ask is because if I use another ssh client, I am still able to
ssh to the PKIX-SSH server. I've noticed the debug output is RSA SHA256
instead of RSA+cert SHA256.

Thanks for your reply!


On Fri, Mar 17, 2017 at 4:33 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Jose,
> ssh_x509 at roumenpetrov.info wrote:
>> Roumen,
>> I went ahead and rebuilt the server and client machines and only
>> uncommented CACertificatePath in /opt/pkixssh/etc/sshd_config and added
>> Port 2222 on server.local and uncommented CACertificatePath in
>> /opt/pkixssh/etc/ssh_config on client.local only.
>> I also ran p11too on client.local and here's the output:
>> [SNIP]
>> Here's the output of server.local:
>> [SNIP]
>> debug1: userauth-request for user sc_jose service ssh-connection method
>> none [preauth]
>> debug1: attempt 0 failures 0 [preauth]
>> debug1: userauth-request for user sc_jose service ssh-connection method
>> publickey [preauth]
>> debug1: attempt 1 failures 0 [preauth]
>> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
>> RSA+cert SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg [preauth]
>> debug1: temporarily_use_uid: 1000/1000 (e=0/0)
>> debug1: trying public key file /home/sc_jose/.ssh/authorized_keys
>> debug1: Could not open authorized keys
>> '/home/sc_jose/.ssh/authorized_keys': No such file or directory
>> debug1: restore_uid: 0/0
>> Failed publickey for sc_jose from port 45926 ssh2:
>> RSA+cert
>> SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg
> On server side authorized keys file is required. It defines map between
> user and keys.
> You have to add a line that describes keys.
> RSA+cert in log above mean X.509 certificate with RSA algorithm.
> [SNIP]
>> Here's the output of client.local:
>> [SNIP]
>> debug1: Next authentication method: publickey
>> debug1: Offering RSA+cert public key: /usr/lib64/libcoolkeypk11.so
>> debug1: Authentications that can continue:
>> publickey,password,keyboard-interactive
> Client sends unsigned(!) request with X.509 certificate. Key(Certificate)
> is rejected by server (not authorized in sample). Client will try next key
> or method.
> [SNIP]
> In brief canonical name or principal name are not used neither in
> authentication nor in authorization.
> For PKIX-SSH you should describe in "authorized keys file" allowed keys.
> Regards,
> Roumen
> --
> Secure shell with X.509 certificate support
> http://roumenpetrov.info/secsh/
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list