[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 12 23:34:22 EEST 2017


Roumen,

I was able to restrict incoming SSH client connections to using
the AcceptedAlgorithms directive.

Since I got this all working with a Linux client, do you know if anyone has
compiled your source code for Mac OS X? This would be strictly for the PKIX
SSH client.

Also, do you know any Windows SSH clients that will work with PKIX SSH
server? Could be commercial or open-source.

Thanks!

Jose



On Wed, Apr 12, 2017 at 2:18 PM, <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
>
>> Roumen,
>>
>> After a lot of banging my head against the desk, I was finally able to get
>> X.509 certs working. The issue was that the certs on the server were in
>> DER
>> format instead of PEM format.
>>
>> One more question:
>>
>> Is there anything in sshd_config I can configure to have the PKIX-SSH
>> server only accept RSA+cert SHA256 authentication only?
>>
> Please have a look into server options PubkeyAlgorithms and
> HostbasedAlgorithms (available since v5.1/*24 Nov 2004)*.
>
> Recent version adds  another options AcceptedAlgorithms that impact above
> options.
>
> By default there is no restriction.
>
> See ssh_config(5) manual page for details.
>
> The reason I ask is because if I use another ssh client, I am still able to
>> ssh to the PKIX-SSH server. I've noticed the debug output is RSA SHA256
>> instead of RSA+cert SHA256.
>>
>> Thanks for your reply!
>>
>> Jose
>>
> [SNIP]
>
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list