[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Mar 19 21:13:44 EET 2018

ssh_x509 at roumenpetrov.info wrote:
>   Hi Roumen,
> I have few questions related to your OpenSSH RFC 6187 changes. I am using
> pkixssh-10.2 build for my purpose.
> 1. Is the pkixssh-10.2 build complete to handle x509v3 certificate-based
> user authentication or do we need more changes? If yes, in which files?

Even  v10.0 is ready for x509v3 certificate in RFC6187 format.
Remark: 11.2 has two security patches - see announce 

Note pre-RFC6187 document - draft-ietf-secsh-transport-12.txt . Let call 
"legacy" format.
Versions after 10.0 improve algorithm selection between legacy and rfc 

> 2. For our requirement, we would want to configure SSH so that it can
> handle x509v3 certificate-based user authentication.

This is default.

> In the default case,
> we would like SSH to handle public key based user authentication.

It is supported by default.

> So what
> exact changes required to configure RFC6187 enabled OpenSSH? Can you share
> sshd_config and ssh_config file where it can handle x509v3
> certificate-based user authentication? And also what other changes are
> required? I couldn't understand much from the README.x509v3 document.
The default configuration is enough.
You could change defaults only if you would like to add some restrictions.
It is required client X.509 certificate to have sslclient purpose but 
you could use options *AllowedCertPurpose to bay-pass default.*

> 3. In README.x509v3 document, you have mentioned about make test/ make
> check-certs. I am not able to successfully run this test. I am getting
> following error "/openssh-7.5p1/regress/unittests/sshbuf/test_sshbuf:
> cannot execute binary file" and
> generating RSA 'hostkey'
> /bin/sh ./2-cre_key.sh -t rsa -b 2048 -N "" -f testhostkey_rsa
> ./2-cre_key.sh: line 24: /openssh-7.5p1/ssh-keygen: cannot execute binary

I'm not sure what could be reason. First (test_sshbuf) is part from 
OpenSSH unitest , second is PKIX_SSH test.
Messages show "build-dir" under root! Location is reason for failure.
May be build is for platform not supported by loader. Cross-compilation?

> file
> OpenSSL command: /usr/bin/openssl
>          version: OpenSSL 1.0.1e-fips 11 Feb 2013
> RSA digest list: sha1
> ./2-cre_key.sh: line 33: /openssh-7.5p1/ssh-keygen: cannot execute binary
> file
> make[1]: *** [testhostkey_rsa] Error 126
> Thanks in advance.
> Regards
> Mohit Gupta

Roumen Petrov

Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list