[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Apr 9 07:22:56 EEST 2018


Hi Roumen,

We would like to know if below format of *authorized_keys* is correct or
not? If not, can you please provide an example of the *authorized_keys*
file.

Thanks & Regards
Mohit Gupta

On Fri, Apr 6, 2018 at 12:04 PM, mohit kumar gupta <mohitgupta153 at gmail.com>
wrote:

> Hi Roumen,
>
> Thanks for all your earlier responses.
> Is it necessary to have same Host key algorithm and public key algorithm?
> I mean Host key should have x509v3-ssh-rsa and ssh_config should
> have X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa?
> If host key exchange is negotiated as ssh-dss, will public key
> authentication will also use ssh-dss algorithm?
> Should there be any relation in between server certificate and user
> certificate? Or they can be generated and used independently
>
> PFA for sshd_config, ca-chain.cert.pem, www.example.com.key.pem,
> www.example.com.cert.pem (passphrase is secretpassword).
> *www.example.com.cert.pem  is used as user certificate.*
>
> SSH Server configuration:-
> 1. Using the existing host key which gets generated as part of SSH
> installation.
>
> 2. sshd_config file:- PFA.
> 2.1 AllowedCertPurpose any
> 2.2 KeyAllowSelfIssued yes
> 2.3 CACertificateFile /etc/ssh/ca/crt/ca-chain.cert.pem -- this is the
> intermediate self-signed CA certificate which is used to generate user
> certificate.
>
> 3. User file on the server:-
> 3.1 .ssh/authorized_keys
> x509v3-sign-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
> x509v3-ssh-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
> *Is this the correct format of authorized_keys ? Can you send me an
> example of authroized_keys entry *?
> 3.2 /etc/ssh/ca/crt
> ls -ltr /etc/ssh/ca/crt/
> -r--r--r--   1 root     root         4180 Apr  5 16:51 ca-chain.cert.pem
> lrwxrwxrwx   1 root     root           17 Apr  6 05:45 cd927608.0 ->
> ca-chain.cert.pem
>
> 3. We are using *SecureCRT* for connecting to our SSH server.
> Under public key properties, global settings, we are using the same
> ca-chain.cert.pem as identity or certificate file.
>
> *Please find the SSH server side log file attached also for the failure.*
>
>
> Thanks & Regards
> Mohit Gupta
>
>
>
>
>
>> On Thu, Apr 5, 2018 at 12:03 AM, <ssh_x509 at roumenpetrov.info> wrote:
>>
>>> Hello Mohit,
>>>
>>>
>>> The list programs convert mail as text and is possible some formatting
>>> to be lost.
>>>
>>>
>>> (a) If I understand properly one of you question is about installation
>>> of keys based on certificate.
>>> Plain keys is easy to generate - all functionality (programs
>>> ssh-keygen)  is available.
>>> X.509 keys require another party - CA. CA rules are not know and this
>>> process cannot be automated by install procedure.
>>>
>>> Where to store?
>>> For instance for rsa you could keep "plain" keys in location
>>> /etc/ssh/ssh_host_rsa_key and to create new file /etc/ssh/ssh_host_rsa_x509
>>> where to store key+certificates
>>> But in this case you has to define HostKey (in sshd_config) for both
>>> files:
>>> ....
>>> HostKey /etc/ssh/ssh_host_rsa_key
>>> HostKey /etc/ssh/ssh_host_rsa_cert
>>> ...
>>>
>>>
>>> (b) Next question was about algorithm restriction: PubkeyAlgorithms vs
>>> X509KeyAlgorithm
>>>
>>> Yes,  to restrict algorithms on server side  you could use only
>>> X509KeyAlgorithm and without to change/use option PubkeyAlgorithms.
>>>
>>>  Regards,
>>> Roumen Petrov
>>>
>>>
>>>
>>>
>>> ssh_x509 at roumenpetrov.info wrote:
>>>
>>>> On Sun, Apr 1, 2018 at 10:23 PM,<ssh_x509 at roumenpetrov.info>  wrote:
>>>>
>>>> ssh_x509 at roumenpetrov.info  wrote:
>>>>>
>>>>> Hi Roumen,
>>>>>>
>>>>>>
>>>>>> 11.0 is version multi-algorithm host-keys. This mean if a rsa host
>>>>>> key has
>>>>>> key plus certificate it will be announces as
>>>>>> x509v3-sign-rsa, x509v3-ssh-rsa and ssh-rsa. List is impacted by
>>>>>> options
>>>>>> *AcceptedAlgorithms* and *X509KeyAlgorithm.*
>>>>>>
>>>>>> For version before this key will be announced as x509v3-sign-rsa.
>>>>>>    1. [Mohit] -- So that means if I am using version 10.2, host key
>>>>>> algorithm
>>>>>> is only announced as x509v3-sign-rsa or it can also announce as
>>>>>> ssh-rsa
>>>>>> algorithm??
>>>>>>
>>>>>> For versions before 11.0 you has to keep two keys
>>>>> a) only with "plain" key - announced as ssh-rsa
>>>>>
>>>>> Mohit -- So is this the original /etc/ssh_host_rsa_key that gets
>>>>>>>
>>>>>> generated during SSH installtion ?
>>>>
>>>> b) key and certificate. Actually option X509KeyAlgorithm impacts
>>>>> algorithm.
>>>>>
>>>>> Mohit --- are we independent to generate this key and certificate file
>>>>>>> ?
>>>>>>>
>>>>>> What will be the name of this key file ?
>>>>
>>>> So if for RSA in you sshd_config option is like this:
>>>>> X509KeyAlgorithm x509v3-ssh-dss,dss-raw,ssh-dss
>>>>> X509KeyAlgorithm x509v3-sign-dss,dss-asn1
>>>>> X509KeyAlgorithm x509v3-sign-dss,dss-raw
>>>>>
>>>>> host key will be announced as x509v3-ssh-dss (first listed for RSA
>>>>> key).
>>>>>
>>>>> Or do We need to move to version 11.0? We want to use openssh-7.5p1 and
>>>>>
>>>>>> that's why we choose pkixssh version 10.2
>>>>>>
>>>>>> For my development UT, I have generated a self-signed certificate.
>>>>>> Root CA
>>>>>> certificate which is used to generate certificate is copied to
>>>>>> */etc/ssh/ca/crt/cacert.pem* and also added this '*CACertificateFile
>>>>>> /etc/ssh/ca/crt/cacert.pem*' in sshd_config.
>>>>>>
>>>>>> Path is part of verification and does not impact host keys.
>>>>>
>>>>> I am trying to configure SSH
>>>>>
>>>>>> server and connect to it, I am getting the error when I started SSH
>>>>>> server
>>>>>> in debug mode.
>>>>>>
>>>>>> PFA for the complete debug log and sshd_config.
>>>>>
>>>>>> *Connection from 10.197.200.94 port 55674 on 10.24.12.85 port 5000*
>>>>>> *Did not receive identification string from 10.197.200.94 port 55674.*
>>>>>>
>>>>>> Look like connection from port scanner.
>>>>> Or it could be due to improper network configuration for instance in a
>>>>> virtual machine. Or firewall issue.
>>>>> It is not easy to say that this is an error.
>>>>>
>>>>> It could be reproduced with telnet - after connection type escape
>>>>> character and on telnet prompt type quit.
>>>>> Perhaps you could test network with telnet, After connection type
>>>>> something, for instance "test" and press [Enter]. It is expected to see
>>>>> message:
>>>>> Bad protocol version identification 'test' from ...
>>>>>
>>>>>
>>>>> There are other errors related to x509key_parse_cert: PEM_read_X509
>>>>> fail
>>>>>
>>>>>> error.
>>>>>>
>>>>>> Debug message like "x509key_parse_cert: PEM_read_X509 fail ..." mean
>>>>> that
>>>>> host key does not contain certificate.
>>>>> So only plain keys is used as host keys.
>>>>> As those messages are not "error" - message they could be ignored.
>>>>>
>>>>> Please see the logs. The connection is getting failed at very first
>>>>>
>>>>>> step.
>>>>>>
>>>>>> # HostKeys for protocol version 2
>>>>>> HostKey /etc/ssh_host_dsa_key
>>>>>> HostKey /etc/ssh_host_rsa_key
>>>>>> HostKey /etc/ssh_host_ecdsa_key
>>>>>>
>>>>>> 2. Can we use ssh-rsa for server authentication algorithm( host key
>>>>>> exchange ) and x509v3-ssh-rsa for user authentication algorithm?
>>>>>>
>>>>>> Yes just add top sshd_config:
>>>>> *PubkeyAlgorithms* x509v3-*
>>>>>
>>>>> Mohit - so we just need to add PubkeyAlgorithms x509v3-ssh-rsa in the
>>>>>>>
>>>>>> sshd_config ? No extra configuration in sshd_config like
>>>> X509KeyAlgorithm
>>>> x509v3-* ?
>>>>
>>>> Remark: option works in Match block as well.
>>>>>
>>>>>
>>>>> If yes, what will be the SSH server configuration? I want to know how a
>>>>>
>>>>>> certificate in PEM format should be generated and appended to host key
>>>>>> file
>>>>>> which is generated as part of SSH server installation?
>>>>>>
>>>>>> Generation of client or server certificate. There is lot of articles
>>>>> on
>>>>> topic "OpenSSL Certificate Authority".
>>>>>
>>>>>
>>>>> Can we replace the default /etc/ssh_host_rsa_key and replace it with a
>>>>> new
>>>>>
>>>>>> key which has the private key as well as the certificate in PEM
>>>>>> format. Or
>>>>>> this format of key is only needed in the case where we choose host key
>>>>>> algorithm as x509v3-ssh-rsa?
>>>>>>
>>>>>> For 10.2 use separate files as was explained above.
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>>> Mohit Gupta
>>>>>>
>>>>>> [snip]
>>>>>
>>>>> Regards,
>>>>> Roumen Petrov
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> ssh_x509 mailing list
>>>>> ssh_x509 at roumenpetrov.info
>>>>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>>>>
>>>>> _______________________________________________
>>>> ssh_x509 mailing list
>>>> ssh_x509 at roumenpetrov.info
>>>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>>>
>>>
>>>
>>> --
>>> Secure shell with X.509 certificate support
>>> http://roumenpetrov.info/secsh/
>>>
>>>
>>> _______________________________________________
>>> ssh_x509 mailing list
>>> ssh_x509 at roumenpetrov.info
>>> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>>>
>>
>>
>


More information about the ssh_x509 mailing list