[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 4 19:11:35 EEST 2017


Hi Roumen,

Is there a way to get get the message of "ssh_x509store_verify_cert: return
1(trusted)" without setting LogLevel DEBUG3 in sshd_config?

Would like to get this output for auditing reasons.

Thanks for the reply!

Jose

On Wed, Apr 19, 2017 at 3:15 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Jose,
>
> ssh_x509 at roumenpetrov.info wrote:
>
>> Roumen,
>>
>> I thank you all your helpful replies to my questions.
>>
>> I do have another one and it involves the client.
>>
>> In /op/pkixssh/etc/sshd_config on server.local, I have:
>>
>> CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
>> /opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.
>>
>> On the client.local, I have /home/jose/.ssh/config:
>>
>> CACertificatePath /opt/pkixssh/etc/ca/crt uncommented. And in
>> /opt/pkixssh/etc/ca/crt I do have the root and intermediate certs hashed.
>>
> Client config file is different from server - options depend from "host"
> block.
>
> So, both server.local and client.local both have the same root and
>> intermediate certs.
>>
> Based on information above I cannot confirm.
>
> When I run /opt/pkixssh/bin/ssh -I /usr/local/lib/opensc-pkcs11.so
>> jose at server.local  -v on client.local, I get the following:
>>
> [SNIP]
>
> Please confirm that in client config options CACertificatePath is in block
> for all hosts, i.e. after line like "host *" or after host statement whose
> pattern mach server.local.
>
> You could review client configuration per host : ssh -d server.local .
>
> Thanks for your reply.
>>
>> Jose
>>
>
>
> Roumen
>
>
> --
> Secure shell with X.509 certificate support
> http://roumenpetrov.info/secsh/
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list