[ssh_x509] Even after the Certificates are setup in Server and client, ssh prompts for password!!!

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 9 20:35:30 EEST 2019


Hi Srini ,
ssh_x509 at roumenpetrov.info wrote:
> Hi All,
>    I have cloned the master branch from the gitlab "
> https://gitlab.com/secsh/pkixssh", built and installed the project. I could
> start sshd on system bootup, also I could do ssh from other machine using
> password authentication. I had placed my "hostkey" (concatenated with
> Certificate) in "/usr/local/etc/"   and "identity" file in client machine
> under the path "/usr/local/etc/"
Hmm . Fine for host key , but not so common for "identity".

> I have both the client and server certificates certified by intermediate
> and root authorities, so the bundle, which is the concatenation of both
> root and intermediate certificate is kept under the path
> "/usr/local/etc/ca/chain.brt.crt.pem" and updated the path using the config
> variable "CACertificateFile" in sshd_config.
> Below are the variables I have update in the sshd_config file
> 1) "HostKey /usr/local/etc/ssh_host_ecdsa_key"
> 2) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
> 3) "in "~/.ssh/authorized_keys" file I have the entry
> *x509v3-ecdsa-sha2-nistp256
> subject= C = SG, ST = Singapore, L = MacPherson, O = BridgeTek Pte Ltd, OU
> = R&D Software, CN = brtchip-panl001.com <http://brtchip-panl001.com>,
> emailAddress = srinivasan.r at brtchip.com <srinivasan.r at brtchip.com>*"
I guess that star(*) is unattended input from mail program.

> 4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"
> 5 "AllowedCertPurpose sslserver"
>
> Similarly in the client side I have below config in
> /usr/local/etc/ssh_config
> 1) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
> 2) "IdentityFile /usr/local/etc/ssh_host_ecdsa_key"
> 3)  "AllowedCertPurpose sslserver"
> 4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"
>
> With this configurations setup, when I do ssh to the server using "*ssh
> root at 192.168.6.128 <root at 192.168.6.128>*" it connects with only password
> authentication why is not picking the certificates automatically.
Should be due to file permission.
There are specific requirement for host-key and for identity file.

>
> Where to see for the debug logs?

good question . it depend from syslogd configuration and sshd 
configuration options  LogLevel and SyslogFacility.

For instance I have
1) in syslog.conf
local3.*                    -/var/log/local3
2) in sshd_config
SyslogFacility LOCAL3
LogLevel VERBOSE

In such case I could see all messagesin /var/log/local3 . Other 
locations(files) are not so important.




>
> Please help.
>
> Regards,
> Srini.

Roumen




More information about the ssh_x509 mailing list