[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Apr 1 20:58:04 EEST 2018


On Sun, Apr 1, 2018 at 10:23 PM, <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
>
>> Hi Roumen,
>>
>>
>> 11.0 is version multi-algorithm host-keys. This mean if a rsa host key has
>> key plus certificate it will be announces as
>> x509v3-sign-rsa, x509v3-ssh-rsa and ssh-rsa. List is impacted by options
>> *AcceptedAlgorithms* and *X509KeyAlgorithm.*
>>
>> For version before this key will be announced as x509v3-sign-rsa.
>>   1. [Mohit] -- So that means if I am using version 10.2, host key
>> algorithm
>> is only announced as x509v3-sign-rsa or it can also announce as ssh-rsa
>> algorithm??
>>
> For versions before 11.0 you has to keep two keys
> a) only with "plain" key - announced as ssh-rsa
>
>>>Mohit -- So is this the original /etc/ssh_host_rsa_key that gets
generated during SSH installtion ?

> b) key and certificate. Actually option X509KeyAlgorithm impacts algorithm.
>
>>>Mohit --- are we independent to generate this key and certificate file ?
What will be the name of this key file ?

>
> So if for RSA in you sshd_config option is like this:
> X509KeyAlgorithm x509v3-ssh-dss,dss-raw,ssh-dss
> X509KeyAlgorithm x509v3-sign-dss,dss-asn1
> X509KeyAlgorithm x509v3-sign-dss,dss-raw
>
> host key will be announced as x509v3-ssh-dss (first listed for RSA key).
>
> Or do We need to move to version 11.0? We want to use openssh-7.5p1 and
>> that's why we choose pkixssh version 10.2
>>
>> For my development UT, I have generated a self-signed certificate. Root CA
>> certificate which is used to generate certificate is copied to
>> */etc/ssh/ca/crt/cacert.pem* and also added this '*CACertificateFile
>> /etc/ssh/ca/crt/cacert.pem*' in sshd_config.
>>
> Path is part of verification and does not impact host keys.
>
> I am trying to configure SSH
>> server and connect to it, I am getting the error when I started SSH server
>> in debug mode.
>>
>
> PFA for the complete debug log and sshd_config.
>> *Connection from 10.197.200.94 port 55674 on 10.24.12.85 port 5000*
>> *Did not receive identification string from 10.197.200.94 port 55674.*
>>
> Look like connection from port scanner.
> Or it could be due to improper network configuration for instance in a
> virtual machine. Or firewall issue.
> It is not easy to say that this is an error.
>
> It could be reproduced with telnet - after connection type escape
> character and on telnet prompt type quit.
> Perhaps you could test network with telnet, After connection type
> something, for instance "test" and press [Enter]. It is expected to see
> message:
> Bad protocol version identification 'test' from ...
>
>
> There are other errors related to x509key_parse_cert: PEM_read_X509 fail
>> error.
>>
>
> Debug message like "x509key_parse_cert: PEM_read_X509 fail ..." mean that
> host key does not contain certificate.
> So only plain keys is used as host keys.
> As those messages are not "error" - message they could be ignored.
>
> Please see the logs. The connection is getting failed at very first
>> step.
>>
>> # HostKeys for protocol version 2
>> HostKey /etc/ssh_host_dsa_key
>> HostKey /etc/ssh_host_rsa_key
>> HostKey /etc/ssh_host_ecdsa_key
>>
>> 2. Can we use ssh-rsa for server authentication algorithm( host key
>> exchange ) and x509v3-ssh-rsa for user authentication algorithm?
>>
> Yes just add top sshd_config:
> *PubkeyAlgorithms* x509v3-*
>
>>>Mohit - so we just need to add PubkeyAlgorithms x509v3-ssh-rsa in the
sshd_config ? No extra configuration in sshd_config like  X509KeyAlgorithm
x509v3-* ?

>
> Remark: option works in Match block as well.
>
>
> If yes, what will be the SSH server configuration? I want to know how a
>> certificate in PEM format should be generated and appended to host key
>> file
>> which is generated as part of SSH server installation?
>>
> Generation of client or server certificate. There is lot of articles on
> topic "OpenSSL Certificate Authority".
>
>
> Can we replace the default /etc/ssh_host_rsa_key and replace it with a new
>> key which has the private key as well as the certificate in PEM format. Or
>> this format of key is only needed in the case where we choose host key
>> algorithm as x509v3-ssh-rsa?
>>
> For 10.2 use separate files as was explained above.
>
> Thanks & Regards
>> Mohit Gupta
>>
> [snip]
>
> Regards,
> Roumen Petrov
>
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list