[ssh_x509] Even after the Certificates are setup in Server and client, ssh prompts for password!!!

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 8 05:10:25 EEST 2019

Hi All,
  I have cloned the master branch from the gitlab "
https://gitlab.com/secsh/pkixssh", built and installed the project. I could
start sshd on system bootup, also I could do ssh from other machine using
password authentication. I had placed my "hostkey" (concatenated with
Certificate) in "/usr/local/etc/"   and "identity" file in client machine
under the path "/usr/local/etc/"
I have both the client and server certificates certified by intermediate
and root authorities, so the bundle, which is the concatenation of both
root and intermediate certificate is kept under the path
"/usr/local/etc/ca/chain.brt.crt.pem" and updated the path using the config
variable "CACertificateFile" in sshd_config.
Below are the variables I have update in the sshd_config file
1) "HostKey /usr/local/etc/ssh_host_ecdsa_key"
2) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
3) "in "~/.ssh/authorized_keys" file I have the entry
subject= C = SG, ST = Singapore, L = MacPherson, O = BridgeTek Pte Ltd, OU
= R&D Software, CN = brtchip-panl001.com <http://brtchip-panl001.com>,
emailAddress = srinivasan.r at brtchip.com <srinivasan.r at brtchip.com>*"
4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"
5 "AllowedCertPurpose sslserver"

Similarly in the client side I have below config in
1) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
2) "IdentityFile /usr/local/etc/ssh_host_ecdsa_key"
3)  "AllowedCertPurpose sslserver"
4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"

With this configurations setup, when I do ssh to the server using "*ssh
root at <root at>*" it connects with only password
authentication why is not picking the certificates automatically.

Where to see for the debug logs?

Please help.


More information about the ssh_x509 mailing list