[ssh_x509] Clarification on pkixssh-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Apr 17 13:15:35 EEST 2018


Hi Roumen,

Can you please clarify on *A_CERTIFICATE_FILE*? Which certificate file is
mentioned in the README section 1.2?
Is it the user certificate? If yes, will server administrator know about
the user certificate beforehand so that he can configure user file
authorized_keys on the SSH Server?
Or is it a different Certificate? Kindly provide your valuable comments.

1.2.) user files on the server
  Append in USER_HOME/.ssh/authorized_keys a record with following
format:
<KEY_TYPE><SPACE><WORDDN><SPACE>{<Distinguished_Name>|CertBlob}
where:
KEY_TYPE:=x509v3-sign-rsa|x509v3-sign-dss (case sensitive !)
WORDDN:={Distinguished Name|
        Distinguished-Name|
        Distinguished_Name|
        DistinguishedName|
        DN|
        Subject}<WORDDNSUFF>
WORDDNSUFF:='='|':'|''
NOTES:
- WORDDN is case insensitive !

- <Distinguished Name> is like output from command:
$ openssl x509 -noout -subject -in *A_CERTIFICATE_FILE*

- <Distinguished Name> can be in RFC2253 format like output from command:
$ openssl x509 -noout -subject -in *A_CERTIFICATE_FILE* -nameopt RFC2253


Thanks & Regards
Mohit Gupta

On Sun, Apr 15, 2018 at 6:34 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Roumen,
>
> So that means if we have RSA+Cert as Hostkey and X509KeyAlgorithm
> x509v3-ssh-rsa,rsa-sha1,ssh-rsa in sshd_config, host key and identity
> exchange will happen through x509v3-ssh-rsa?
> If there is just RSA key as HostKey and  X509KeyAlgorithm
> x509v3-ssh-rsa,rsa
> -sha1,ssh-rsa in sshd_config, host key will happen through ssh_rsa and
> identity exchange will happen through x509v3-ssh-rsa?
>
> One more question I have is, how to get Distinguished_Name from the user
> certificate (using openssl x509 -noout -subject -in A_CERTIFICATE_FILE)
> which
> gets appended to USERS_HOME/.ssh/ authorized_keys? Is user certificate
> shared to Server administrator before configuring SSH server?
>
> Thanks & Regards
> Mohit Gupta
>
> On Mon, Apr 9, 2018 at 9:38 PM, <ssh_x509 at roumenpetrov.info> wrote:
>
> > Hello Mohit ,
> >
> > ssh_x509 at roumenpetrov.info wrote:
> >
> >>   Hi Roumen,
> >>
> >> Thanks for all your earlier responses.
> >> Is it necessary to have same Host key algorithm and public key
> algorithm?
> >>
> > No. Host keys could use different algorithms then user identities (public
> > key).
> >
> > I mean Host key should have x509v3-ssh-rsa and ssh_config should
> >> have X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa?
> >>
> > In version before 11.0 "X509KeyAlgorithm x509v3-ssh-rsa..." must be
> listed
> > first
> > if you like key matherial to be announced as x509v3-ssh-rsa.
> >
> > Sample (only for rsa related part):
> > ...
> > X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa
> > X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
> > X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
> > ...
> > So if host key is rsa+certificate it will be announced as x509v3-ssh-rsa.
> > Next two lines will be used to support legacy format for user identities
> >
> > For instance line " X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1" is for
> > Tectia (ssh.com) clients and line
> > "X509KeyAlgorithm x509v3-sign-rsa,rsa-md5" is SecureCRT clients (legacy
> > format).
> >
> >
> > If host key exchange is negotiated as ssh-dss, will public key
> >> authentication will also use ssh-dss algorithm?
> >>
> > No.
> >
> > Should there be any relation in between server certificate and user
> >> certificate? Or they can be generated and used independently
> >>
> >> PFA for sshd_config, ca-chain.cert.pem,www.example.com.key.pem,
> >> www.example.com.cert.pem  (passphrase is secretpassword).
> >> *www.example.com.cert.pem  is used as user certificate.*
> >>
> >> SSH Server configuration:-
> >> 1. Using the existing host key which gets generated as part of SSH
> >> installation.
> >>
> >> 2. sshd_config file:- PFA.
> >> 2.1 AllowedCertPurpose any
> >> 2.2 KeyAllowSelfIssued yes
> >> 2.3 CACertificateFile /etc/ssh/ca/crt/ca-chain.cert.pem -- this is the
> >> intermediate self-signed CA certificate which is used to generate user
> >> certificate.
> >>
> >
> > 3. User file on the server:-
> >> 3.1 .ssh/authorized_keys
> >> x509v3-sign-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
> >> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
> >> x509v3-ssh-rsa subject= /C=GB/ST=California/L=Mountain View/O=Alice
> >> Ltd/OU=Alice Ltd Web Services/CN=www.example.com
> >> *Is this the correct format of authorized_keys ? Can you send me an
> >> example
> >> of authroized_keys entry *?
> >>
> >
> > x509v3-sign-rsa (!) and x509v3-ssh-rsa require respective entry in option
> > X509KeyAlgorithm
> > You request was to use only  RFC 6187.
> > Otherwise format is connect but you don't need to list two times one and
> > the same information.
> >
> >
> >> 3.2 /etc/ssh/ca/crt
> >> ls -ltr /etc/ssh/ca/crt/
> >> -r--r--r--   1 root     root         4180 Apr  5 16:51 ca-chain.cert.pem
> >> lrwxrwxrwx   1 root     root           17 Apr  6 05:45 cd927608.0 ->
> >> ca-chain.cert.pem
> >>
> >> 3. We are using *SecureCRT* for connecting to our SSH server.
> >> Under public key properties, global settings, we are using the same
> >> ca-chain.cert.pem as identity or certificate file.
> >>
> > SecureCRT 8.3.2 lock good ;)
> >
> > *Please find the SSH server side log file attached also for the failure.*
> >>
> > ...
> >
> > debug1: userauth-request for userwww.example.com  ....
> > debug3: Xkey_from_blob() pkalg='ssh-rsa', blen=535
> > ....
> >
> > debug1: Could not open authorized keys '...../.ssh/authorized_keys.ww
> > w.example.com': No such file or directory
> > ....
> >
> > Client send plain keys and it seems to me you use server
> > options*AuthorizedKeysFile*  with %u token.
> > Perhaps you could remove ".%u" for options or you should use correct file
> > name.
> >
> >
> >
> >> Thanks & Regards
> >> Mohit Gupta
> >> [SNIP]
> >>
> >>
> > Regards,
> > Roumen Petrov
> >
> >
> > _______________________________________________
> > ssh_x509 mailing list
> > ssh_x509 at roumenpetrov.info
> > http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> >
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list