[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Apr 17 13:50:05 EEST 2017


Hi Jose,
ssh_x509 at roumenpetrov.info wrote:
> Roumen,
>
> I was able to successfully compile PKIX SSH under OS X El Capitan. I had to
> compile it using OpenSSL libraries instead of the native SSL libraries on
> the Mac.
Good to know.
If I remember well long time ago on OS X deprecate a number of 
open-source software including OpenSSL.

>   I only tested the PKIX SSH client. The PKIX SSH client works on
> the Mac for me.
>
> One more question:
>
> In the client debug output of "debug1: Offering RSA+cert public key.." is
> the PKIX SSH client sending the public certificate on the smart card to the
> server?
Yes.
I have to add more detailed message because X.506 certificate could be 
presented differently - quote from client session
(recent version)
...
debug1: Offering RSA+cert public key: tests/CA/testid_rsa-rsa_sha1
debug3: send_pubkey_test: x509v3-sign-rsa
...
debug1: Server accepts key: pkalg x509v3-sign-rsa blen 1952
...
debug1: read X.509 certificate done: type RSA+cert
debug3: ssh_x509_sign: key alg/type/name: 
x509v3-sign-rsa/RSA+cert/x509v3-sign-rsa
...
debug3: send packet: type 50
debug3: receive packet: type 52
...

> In the server debug output of "debug1: userauth_pubkey: test whether
> pkalg/pkblob are acceptable for RSA+cert SHA256...", is the PKIX SSH server
> receiving the public certificate from the client remotely?
Yes
More lines to watch ...
...
debug2: input_userauth_request: try method publickey
debug3: Xkey_from_blob() pkalg='x509v3-sign-rsa', blen=1952
debug3: x509_to_key: X509_get_pubkey done!
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for 
RSA+cert SHA256:<...DIGEST...>
...
debug3: userauth_pubkey: have signature for RSA+cert SHA256:<...DIGEST...>
...
debug2: userauth_pubkey: authenticated 1 pkalg x509v3-sign-rsa
Accepted publickey for ... from ... port ... ssh2: RSA+cert 
SHA256:<...DIGEST...>
debug3: send packet: type 52
...

> Just want to confirm this is what is happening.
>
> Jose

[SNIP]
Roumen




More information about the ssh_x509 mailing list