[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 19 23:15:20 EEST 2017


Hi Jose,

ssh_x509 at roumenpetrov.info wrote:
> Roumen,
>
> I thank you all your helpful replies to my questions.
>
> I do have another one and it involves the client.
>
> In /op/pkixssh/etc/sshd_config on server.local, I have:
>
> CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
> /opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.
>
> On the client.local, I have /home/jose/.ssh/config:
>
> CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
> /opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.
Client config file is different from server - options depend from "host" 
block.

> So, both server.local and client.local both have the same root and
> intermediate certs.
Based on information above I cannot confirm.

> When I run /opt/pkixssh/bin/ssh -I /usr/local/lib/opensc-pkcs11.so
> jose at server.local  -v on client.local, I get the following:
[SNIP]

Please confirm that in client config options CACertificatePath is in 
block for all hosts, i.e. after line like "host *" or after host 
statement whose pattern mach server.local.

You could review client configuration per host : ssh -d server.local .

> Thanks for your reply.
>
> Jose


Roumen


-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the ssh_x509 mailing list