[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 19 19:15:16 EEST 2017


Roumen,

I thank you all your helpful replies to my questions.

I do have another one and it involves the client.

In /op/pkixssh/etc/sshd_config on server.local, I have:

CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
/opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.

On the client.local, I have /home/jose/.ssh/config:

CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
/opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.

So, both server.local and client.local both have the same root and
intermediate certs.

When I run /opt/pkixssh/bin/ssh -I /usr/local/lib/opensc-pkcs11.so
jose at server.local -v on client.local, I get the following:

debug1: have 1 keys
cannot build certificate chain, code=20, msg='unable to get local issuer
certificate'

Does this mean the client cannot find the root and intermediate certs even
though I have them in /opt/pkixssh/etc/ca/crt? Server and client have the
same root and intermediate certs.

Thanks for your reply.

Jose

On Mon, Apr 17, 2017 at 5:50 AM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Jose,
> ssh_x509 at roumenpetrov.info wrote:
>
>> Roumen,
>>
>> I was able to successfully compile PKIX SSH under OS X El Capitan. I had
>> to
>> compile it using OpenSSL libraries instead of the native SSL libraries on
>> the Mac.
>>
> Good to know.
> If I remember well long time ago on OS X deprecate a number of open-source
> software including OpenSSL.
>
>   I only tested the PKIX SSH client. The PKIX SSH client works on
>> the Mac for me.
>>
>> One more question:
>>
>> In the client debug output of "debug1: Offering RSA+cert public key.." is
>> the PKIX SSH client sending the public certificate on the smart card to
>> the
>> server?
>>
> Yes.
> I have to add more detailed message because X.506 certificate could be
> presented differently - quote from client session
> (recent version)
> ...
> debug1: Offering RSA+cert public key: tests/CA/testid_rsa-rsa_sha1
> debug3: send_pubkey_test: x509v3-sign-rsa
> ...
> debug1: Server accepts key: pkalg x509v3-sign-rsa blen 1952
> ...
> debug1: read X.509 certificate done: type RSA+cert
> debug3: ssh_x509_sign: key alg/type/name: x509v3-sign-rsa/RSA+cert/x509v
> 3-sign-rsa
> ...
> debug3: send packet: type 50
> debug3: receive packet: type 52
> ...
>
> In the server debug output of "debug1: userauth_pubkey: test whether
>> pkalg/pkblob are acceptable for RSA+cert SHA256...", is the PKIX SSH
>> server
>> receiving the public certificate from the client remotely?
>>
> Yes
> More lines to watch ...
> ...
> debug2: input_userauth_request: try method publickey
> debug3: Xkey_from_blob() pkalg='x509v3-sign-rsa', blen=1952
> debug3: x509_to_key: X509_get_pubkey done!
> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
> RSA+cert SHA256:<...DIGEST...>
> ...
> debug3: userauth_pubkey: have signature for RSA+cert SHA256:<...DIGEST...>
> ...
> debug2: userauth_pubkey: authenticated 1 pkalg x509v3-sign-rsa
> Accepted publickey for ... from ... port ... ssh2: RSA+cert
> SHA256:<...DIGEST...>
> debug3: send packet: type 52
> ...
>
> Just want to confirm this is what is happening.
>>
>> Jose
>>
>
> [SNIP]
> Roumen
>
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list