[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Mar 19 06:10:52 EET 2018

 Hi Roumen,

I have few questions related to your OpenSSH RFC 6187 changes. I am using
pkixssh-10.2 build for my purpose.
1. Is the pkixssh-10.2 build complete to handle x509v3 certificate-based
user authentication or do we need more changes? If yes, in which files?
2. For our requirement, we would want to configure SSH so that it can
handle x509v3 certificate-based user authentication. In the default case,
we would like SSH to handle public key based user authentication. So what
exact changes required to configure RFC6187 enabled OpenSSH? Can you share
sshd_config and ssh_config file where it can handle x509v3
certificate-based user authentication? And also what other changes are
required? I couldn't understand much from the README.x509v3 document.
3. In README.x509v3 document, you have mentioned about make test/ make
check-certs. I am not able to successfully run this test. I am getting
following error "/openssh-7.5p1/regress/unittests/sshbuf/test_sshbuf:
cannot execute binary file" and
generating RSA 'hostkey'
/bin/sh ./2-cre_key.sh -t rsa -b 2048 -N "" -f testhostkey_rsa
./2-cre_key.sh: line 24: /openssh-7.5p1/ssh-keygen: cannot execute binary
OpenSSL command: /usr/bin/openssl
        version: OpenSSL 1.0.1e-fips 11 Feb 2013
RSA digest list: sha1
./2-cre_key.sh: line 33: /openssh-7.5p1/ssh-keygen: cannot execute binary
make[1]: *** [testhostkey_rsa] Error 126

Thanks in advance.
Mohit Gupta

More information about the ssh_x509 mailing list