[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Apr 15 16:04:41 EEST 2018


Hi Roumen,

So that means if we have RSA+Cert as Hostkey and X509KeyAlgorithm
x509v3-ssh-rsa,rsa-sha1,ssh-rsa in sshd_config, host key and identity
exchange will happen through x509v3-ssh-rsa?
If there is just RSA key as HostKey and  X509KeyAlgorithm x509v3-ssh-rsa,rsa
-sha1,ssh-rsa in sshd_config, host key will happen through ssh_rsa and
identity exchange will happen through x509v3-ssh-rsa?

One more question I have is, how to get Distinguished_Name from the user
certificate (using openssl x509 -noout -subject -in A_CERTIFICATE_FILE) which
gets appended to USERS_HOME/.ssh/ authorized_keys? Is user certificate
shared to Server administrator before configuring SSH server?

Thanks & Regards
Mohit Gupta

On Mon, Apr 9, 2018 at 9:38 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Hello Mohit ,
>
> ssh_x509 at roumenpetrov.info wrote:
>
>>   Hi Roumen,
>>
>> Thanks for all your earlier responses.
>> Is it necessary to have same Host key algorithm and public key algorithm?
>>
> No. Host keys could use different algorithms then user identities (public
> key).
>
> I mean Host key should have x509v3-ssh-rsa and ssh_config should
>> have X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa?
>>
> In version before 11.0 "X509KeyAlgorithm x509v3-ssh-rsa..." must be listed
> first
> if you like key matherial to be announced as x509v3-ssh-rsa.
>
> Sample (only for rsa related part):
> ...
> X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
> X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
> ...
> So if host key is rsa+certificate it will be announced as x509v3-ssh-rsa.
> Next two lines will be used to support legacy format for user identities
>
> For instance line " X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1" is for
> Tectia (ssh.com) clients and line
> "X509KeyAlgorithm x509v3-sign-rsa,rsa-md5" is SecureCRT clients (legacy
> format).
>
>
> If host key exchange is negotiated as ssh-dss, will public key
>> authentication will also use ssh-dss algorithm?
>>
> No.
>
> Should there be any relation in between server certificate and user
>> certificate? Or they can be generated and used independently
>>
>> PFA for sshd_config, ca-chain.cert.pem,www.example.com.key.pem,
>> www.example.com.cert.pem  (passphrase is secretpassword).
>> *www.example.com.cert.pem  is used as user certificate.*
>>
>> SSH Server configuration:-
>> 1. Using the existing host key which gets generated as part of SSH
>> installation.
>>
>> 2. sshd_config file:- PFA.
>> 2.1 AllowedCertPurpose any
>> 2.2 KeyAllowSelfIssued yes
>> 2.3 CACertificateFile /etc/ssh/ca/crt/ca-chain.cert.pem -- this is the
>> intermediate self-signed CA certificate which is used to generate user
>> certificate.
>>
>
> 3. User file on the server:-
>> 3.1 .ssh/authorized_keys
>> x509v3-sign-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
>> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
>> x509v3-ssh-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
>> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
>> *Is this the correct format of authorized_keys ? Can you send me an
>> example
>> of authroized_keys entry *?
>>
>
> x509v3-sign-rsa (!) and x509v3-ssh-rsa require respective entry in option
> X509KeyAlgorithm
> You request was to use only  RFC 6187.
> Otherwise format is connect but you don't need to list two times one and
> the same information.
>
>
>> 3.2 /etc/ssh/ca/crt
>> ls -ltr /etc/ssh/ca/crt/
>> -r--r--r--   1 root     root         4180 Apr  5 16:51 ca-chain.cert.pem
>> lrwxrwxrwx   1 root     root           17 Apr  6 05:45 cd927608.0 ->
>> ca-chain.cert.pem
>>
>> 3. We are using *SecureCRT* for connecting to our SSH server.
>> Under public key properties, global settings, we are using the same
>> ca-chain.cert.pem as identity or certificate file.
>>
> SecureCRT 8.3.2 lock good ;)
>
> *Please find the SSH server side log file attached also for the failure.*
>>
> ...
>
> debug1: userauth-request for userwww.example.com  ....
> debug3: Xkey_from_blob() pkalg='ssh-rsa', blen=535
> ....
>
> debug1: Could not open authorized keys '...../.ssh/authorized_keys.ww
> w.example.com': No such file or directory
> ....
>
> Client send plain keys and it seems to me you use server
> options*AuthorizedKeysFile*  with %u token.
> Perhaps you could remove ".%u" for options or you should use correct file
> name.
>
>
>
>> Thanks & Regards
>> Mohit Gupta
>> [SNIP]
>>
>>
> Regards,
> Roumen Petrov
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list