[ssh_x509] Is It possible to have the Cert file in PEM format separately

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 9 20:07:13 EEST 2019


Hi Srini,

ssh_x509 at roumenpetrov.info wrote:
> Hi,
>    I could now able to use PKIXSSH using the certificate installed in server
> and client side for doing SSH. But currently it is working only if I give
> have both the private key and certificate in one single IdentityFile
> concatenating these components. But I wanted to try having the certificate
> and private key file separately, for the reason I wanted to hide the
> private key exposed in the disk, rather want to load the private key from
> my hardware chip using engine option.

If I remember well you point to engine that support command 
"LOAD_CERT_CTRL", so engine is supposed to return "certificate" that 
match "private key".
Run in debug level 3 and search for message "... eng cmd LOAD_CERT_CTRL 
return ..."
Good value is 1 otherwise :( .


> I have tried using the option "CertificateFile
> /usr/local/etc/ssh_hostkey-cert" in my ssh_config file.
Not related. It is used to find "intermediate" certificates if is used 
rfc6187 algorithm.

>   As I could see in
> the source code in the function "*load_public_identity_files()*" the code
> didn't interpret the type of the file in the "CertificateFile", so it free
> the file.

File is key-eng.c.
Expected debug (3) output:
....
debug1: Next authentication method: publickey
Trying private key: engine:e_nss:SSH ECDSA(nistp521) test 
certificate(rsa_sha1) - SSH Test Team 
cyrillic-\320\220\320\221\320\222-\320\257\320\260\320\261\320\262-\321\217 
greek-\316\221\316\222\316\223-\316\251\316\261\316\262\316\263-\317\211
debug3: sshkey_load_private_type() type=13, filename=engine:e_nss:SSH 
ECDSA(nistp521) test certificate(rsa_sha1) - SSH Test Team 
cyrillic-\320\220\320\221\320\222-\320\257\320\260\320\261\320\262-\321\217 
greek-\316\221\316\222\316\223-\316\251\316\261\316\262\316\263-\317\211
debug3: ui_read: read_passphrase prompt=Enter pass phrase for NSS 
Certificate DB:
debug3: eng_try_load_cert: eng cmd LOAD_CERT_EVP return 1
debug3: eng_try_load_cert: certificate=0x5604c61634b0
debug3: ssh_build_certchain_cb:  ....
debug3: x509key_build_chain length=2
debug3: ENGINE private key type: ECDSA+cert
debug1: read ENGINE private key done: type ECDSA+cert
debug3: sign_and_send_pubkey: ECDSA+cert 
SHA256:Su870yYzFusFXD1QYwgHno6h1mNBKR17GoJAjM6p5tY
....

Remark: "e_nss" supports both commands LOAD_CERT_EVP and LOAD_CERT_CTRL.


> Please help.
>
> Regards,
> Srini.

Regards,
Roumen




More information about the ssh_x509 mailing list