[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Apr 4 21:33:59 EEST 2018


Hello Mohit,


The list programs convert mail as text and is possible some formatting 
to be lost.


(a) If I understand properly one of you question is about installation 
of keys based on certificate.
Plain keys is easy to generate - all functionality (programs 
ssh-keygen)  is available.
X.509 keys require another party - CA. CA rules are not know and this 
process cannot be automated by install procedure.

Where to store?
For instance for rsa you could keep "plain" keys in location 
/etc/ssh/ssh_host_rsa_key and to create new file 
/etc/ssh/ssh_host_rsa_x509 where to store key+certificates
But in this case you has to define HostKey (in sshd_config) for both files:
....
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_rsa_cert
...


(b) Next question was about algorithm restriction: PubkeyAlgorithms vs 
X509KeyAlgorithm

Yes,  to restrict algorithms on server side  you could use only  X509KeyAlgorithm and without to change/use option PubkeyAlgorithms.

  
Regards,
Roumen Petrov



ssh_x509 at roumenpetrov.info wrote:
> On Sun, Apr 1, 2018 at 10:23 PM,<ssh_x509 at roumenpetrov.info>  wrote:
>
>> ssh_x509 at roumenpetrov.info  wrote:
>>
>>> Hi Roumen,
>>>
>>>
>>> 11.0 is version multi-algorithm host-keys. This mean if a rsa host key has
>>> key plus certificate it will be announces as
>>> x509v3-sign-rsa, x509v3-ssh-rsa and ssh-rsa. List is impacted by options
>>> *AcceptedAlgorithms* and *X509KeyAlgorithm.*
>>>
>>> For version before this key will be announced as x509v3-sign-rsa.
>>>    1. [Mohit] -- So that means if I am using version 10.2, host key
>>> algorithm
>>> is only announced as x509v3-sign-rsa or it can also announce as ssh-rsa
>>> algorithm??
>>>
>> For versions before 11.0 you has to keep two keys
>> a) only with "plain" key - announced as ssh-rsa
>>
>>>> Mohit -- So is this the original /etc/ssh_host_rsa_key that gets
> generated during SSH installtion ?
>
>> b) key and certificate. Actually option X509KeyAlgorithm impacts algorithm.
>>
>>>> Mohit --- are we independent to generate this key and certificate file ?
> What will be the name of this key file ?
>
>> So if for RSA in you sshd_config option is like this:
>> X509KeyAlgorithm x509v3-ssh-dss,dss-raw,ssh-dss
>> X509KeyAlgorithm x509v3-sign-dss,dss-asn1
>> X509KeyAlgorithm x509v3-sign-dss,dss-raw
>>
>> host key will be announced as x509v3-ssh-dss (first listed for RSA key).
>>
>> Or do We need to move to version 11.0? We want to use openssh-7.5p1 and
>>> that's why we choose pkixssh version 10.2
>>>
>>> For my development UT, I have generated a self-signed certificate. Root CA
>>> certificate which is used to generate certificate is copied to
>>> */etc/ssh/ca/crt/cacert.pem* and also added this '*CACertificateFile
>>> /etc/ssh/ca/crt/cacert.pem*' in sshd_config.
>>>
>> Path is part of verification and does not impact host keys.
>>
>> I am trying to configure SSH
>>> server and connect to it, I am getting the error when I started SSH server
>>> in debug mode.
>>>
>> PFA for the complete debug log and sshd_config.
>>> *Connection from 10.197.200.94 port 55674 on 10.24.12.85 port 5000*
>>> *Did not receive identification string from 10.197.200.94 port 55674.*
>>>
>> Look like connection from port scanner.
>> Or it could be due to improper network configuration for instance in a
>> virtual machine. Or firewall issue.
>> It is not easy to say that this is an error.
>>
>> It could be reproduced with telnet - after connection type escape
>> character and on telnet prompt type quit.
>> Perhaps you could test network with telnet, After connection type
>> something, for instance "test" and press [Enter]. It is expected to see
>> message:
>> Bad protocol version identification 'test' from ...
>>
>>
>> There are other errors related to x509key_parse_cert: PEM_read_X509 fail
>>> error.
>>>
>> Debug message like "x509key_parse_cert: PEM_read_X509 fail ..." mean that
>> host key does not contain certificate.
>> So only plain keys is used as host keys.
>> As those messages are not "error" - message they could be ignored.
>>
>> Please see the logs. The connection is getting failed at very first
>>> step.
>>>
>>> # HostKeys for protocol version 2
>>> HostKey /etc/ssh_host_dsa_key
>>> HostKey /etc/ssh_host_rsa_key
>>> HostKey /etc/ssh_host_ecdsa_key
>>>
>>> 2. Can we use ssh-rsa for server authentication algorithm( host key
>>> exchange ) and x509v3-ssh-rsa for user authentication algorithm?
>>>
>> Yes just add top sshd_config:
>> *PubkeyAlgorithms* x509v3-*
>>
>>>> Mohit - so we just need to add PubkeyAlgorithms x509v3-ssh-rsa in the
> sshd_config ? No extra configuration in sshd_config like  X509KeyAlgorithm
> x509v3-* ?
>
>> Remark: option works in Match block as well.
>>
>>
>> If yes, what will be the SSH server configuration? I want to know how a
>>> certificate in PEM format should be generated and appended to host key
>>> file
>>> which is generated as part of SSH server installation?
>>>
>> Generation of client or server certificate. There is lot of articles on
>> topic "OpenSSL Certificate Authority".
>>
>>
>> Can we replace the default /etc/ssh_host_rsa_key and replace it with a new
>>> key which has the private key as well as the certificate in PEM format. Or
>>> this format of key is only needed in the case where we choose host key
>>> algorithm as x509v3-ssh-rsa?
>>>
>> For 10.2 use separate files as was explained above.
>>
>> Thanks & Regards
>>> Mohit Gupta
>>>
>> [snip]
>>
>> Regards,
>> Roumen Petrov
>>
>>
>>
>> _______________________________________________
>> ssh_x509 mailing list
>> ssh_x509 at roumenpetrov.info
>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info


-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the ssh_x509 mailing list