[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Apr 1 19:53:55 EEST 2018

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> 11.0 is version multi-algorithm host-keys. This mean if a rsa host key has
> key plus certificate it will be announces as
> x509v3-sign-rsa, x509v3-ssh-rsa and ssh-rsa. List is impacted by options
> *AcceptedAlgorithms* and *X509KeyAlgorithm.*
> For version before this key will be announced as x509v3-sign-rsa.
>   1. [Mohit] -- So that means if I am using version 10.2, host key algorithm
> is only announced as x509v3-sign-rsa or it can also announce as ssh-rsa
> algorithm??
For versions before 11.0 you has to keep two keys
a) only with "plain" key - announced as ssh-rsa
b) key and certificate. Actually option X509KeyAlgorithm impacts algorithm.

So if for RSA in you sshd_config option is like this:
X509KeyAlgorithm x509v3-ssh-dss,dss-raw,ssh-dss
X509KeyAlgorithm x509v3-sign-dss,dss-asn1
X509KeyAlgorithm x509v3-sign-dss,dss-raw

host key will be announced as x509v3-ssh-dss (first listed for RSA key).

> Or do We need to move to version 11.0? We want to use openssh-7.5p1 and
> that's why we choose pkixssh version 10.2
> For my development UT, I have generated a self-signed certificate. Root CA
> certificate which is used to generate certificate is copied to
> */etc/ssh/ca/crt/cacert.pem* and also added this '*CACertificateFile
> /etc/ssh/ca/crt/cacert.pem*' in sshd_config.
Path is part of verification and does not impact host keys.

> I am trying to configure SSH
> server and connect to it, I am getting the error when I started SSH server
> in debug mode.

> PFA for the complete debug log and sshd_config.
> *Connection from port 55674 on port 5000*
> *Did not receive identification string from port 55674.*
Look like connection from port scanner.
Or it could be due to improper network configuration for instance in a 
virtual machine. Or firewall issue.
It is not easy to say that this is an error.

It could be reproduced with telnet - after connection type escape 
character and on telnet prompt type quit.
Perhaps you could test network with telnet, After connection type 
something, for instance "test" and press [Enter]. It is expected to see 
Bad protocol version identification 'test' from ...

> There are other errors related to x509key_parse_cert: PEM_read_X509 fail
> error.

Debug message like "x509key_parse_cert: PEM_read_X509 fail ..." mean 
that host key does not contain certificate.
So only plain keys is used as host keys.
As those messages are not "error" - message they could be ignored.

> Please see the logs. The connection is getting failed at very first
> step.
> # HostKeys for protocol version 2
> HostKey /etc/ssh_host_dsa_key
> HostKey /etc/ssh_host_rsa_key
> HostKey /etc/ssh_host_ecdsa_key
> 2. Can we use ssh-rsa for server authentication algorithm( host key
> exchange ) and x509v3-ssh-rsa for user authentication algorithm?
Yes just add top sshd_config:
*PubkeyAlgorithms* x509v3-*

Remark: option works in Match block as well.

> If yes, what will be the SSH server configuration? I want to know how a
> certificate in PEM format should be generated and appended to host key file
> which is generated as part of SSH server installation?
Generation of client or server certificate. There is lot of articles on 
topic "OpenSSL Certificate Authority".

> Can we replace the default /etc/ssh_host_rsa_key and replace it with a new
> key which has the private key as well as the certificate in PEM format. Or
> this format of key is only needed in the case where we choose host key
> algorithm as x509v3-ssh-rsa?
For 10.2 use separate files as was explained above.

> Thanks & Regards
> Mohit Gupta

Roumen Petrov

More information about the ssh_x509 mailing list