[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 12 22:18:51 EEST 2017


ssh_x509 at roumenpetrov.info wrote:
> Roumen,
>
> After a lot of banging my head against the desk, I was finally able to get
> X.509 certs working. The issue was that the certs on the server were in DER
> format instead of PEM format.
>
> One more question:
>
> Is there anything in sshd_config I can configure to have the PKIX-SSH
> server only accept RSA+cert SHA256 authentication only?
Please have a look into server options PubkeyAlgorithms and 
HostbasedAlgorithms (available since v5.1/*24 Nov 2004)*.

Recent version adds  another options AcceptedAlgorithms that impact 
above options.

By default there is no restriction.

See ssh_config(5) manual page for details.

> The reason I ask is because if I use another ssh client, I am still able to
> ssh to the PKIX-SSH server. I've noticed the debug output is RSA SHA256
> instead of RSA+cert SHA256.
>
> Thanks for your reply!
>
> Jose
[SNIP]

Roumen



More information about the ssh_x509 mailing list