[ssh_x509] Even after the Certificates are setup in Server and client, ssh prompts for password!!!

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 23 11:02:47 EEST 2019


Hi Roumen,
   Thanks for pointing with debug options. I am still struck in connecting
using certificate, but this time could able to see better log for debugging
from both server and client side.
Client logs:
-------------
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: publickey-algorithms at roumenpetrov.info
=<x509v3-ecdsa-sha2-nistp256,x509v3-sign-rsa,x509v3-ssh-rsa,ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: kex_input_ext_info:
server-sig-algs=<x509v3-ecdsa-sha2-nistp256,x509v3-sign-rsa,x509v3-ssh-rsa,ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
Trying private key: /usr/local/etc/id_rsa
Trying private key: /usr/local/etc/id_dsa
Trying private key: /usr/local/etc/ssh_hostkey
*debug2: we sent a publickey packet, wait for reply*
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Trying private key: /usr/local/etc/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply

Server logs:
---------------
debug2: input_userauth_request: try method publickey [preauth]
debug3: Xkey_from_blob() pkalg='x509v3-ecdsa-sha2-nistp256', blen=2716
[preauth]
debug3: X509key_from_buf2_common: certificate-count: 3 [preauth]
debug3: X509key_from_buf2_common: certificate[0]=0x91cea8 [preauth]
debug3: x509_to_key: X509_get_pubkey done! [preauth]
debug3: X509key_from_buf2_common: certificate[1]=0x91ef60 [preauth]
debug3: X509key_from_buf2_common: certificate[2]=0x92ff70 [preauth]
debug3: X509key_from_buf2_common: ocsp-response-count: 0 [preauth]
debug3: userauth_pubkey: have signature for x509v3-ecdsa-sha2-nistp256
ECDSA+cert SHA256:woUs+eq/xFIs9s38IHC72wEWUA9kVg8xuGe9hOEvUr4 [preauth]
debug3: mm_xkey_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_xkey_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: Xkey_from_blob() pkalg='x509v3-ecdsa-sha2-nistp256', blen=2716
debug3: X509key_from_buf2_common: certificate-count: 3
debug3: X509key_from_buf2_common: certificate[0]=0x9287b8
debug3: x509_to_key: X509_get_pubkey done!
debug3: X509key_from_buf2_common: certificate[1]=0x92ae50
debug3: X509key_from_buf2_common: certificate[2]=0x92d6b0
debug3: X509key_from_buf2_common: ocsp-response-count: 0
debug3: mm_answer_keyallowed: xkey_from_blob: x509v3-ecdsa-sha2-nistp256
0x92ba40
debug1: temporarily_use_uid: 0/0 (e=0/0)










*debug1: trying public key file /root/.ssh/authorized_keysdebug1: fd 6
clearing O_NONBLOCKdebug3: x509key_from_subject(4, [subject= C = SG, ST =
Singapore, L = MacPherson, O = BridgeTek Pte Ltd, OU = R&D Software, CN =
brtchip-panl.com <http://brtchip-panl.com>, emailAddress =
srinivasan.r at brtchip.com <srinivasan.r at brtchip.com>]) calleddebug3:
x509key_from_subject: subject=[C = SG, ST = Singapore, L = MacPherson, O =
BridgeTek Pte Ltd, OU = R&D Software, CN = brtchip-panl.com
<http://brtchip-panl.com>, emailAddress = srinivasan.r at brtchip.com
<srinivasan.r at brtchip.com>]debug3: x509key_str2X509NAME: return 1debug3:
x509key_from_subject: return 0x92d088debug1: restore_uid: 0/0debug3:
mm_answer_keyallowed: publickey authentication: ECDSA+cert key is not
allowedFailed publickey for root from 192.168.6.197 port 42690 ssh2:
ECDSA+cert SHA256:woUs+eq/xFIs9s38IHC72wEWUA9kVg8xuGe9hOEvUr4*
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg x509v3-ecdsa-sha2-nistp256
[preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 38.659ms, delaying 20.443ms
(requested 7.388ms) [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive" [preauth]


would be great if you could give me some pointer.

Regards,
Srini.

On Fri, May 10, 2019 at 1:35 AM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Srini ,
> ssh_x509 at roumenpetrov.info wrote:
> > Hi All,
> >    I have cloned the master branch from the gitlab "
> > https://gitlab.com/secsh/pkixssh", built and installed the project. I
> could
> > start sshd on system bootup, also I could do ssh from other machine using
> > password authentication. I had placed my "hostkey" (concatenated with
> > Certificate) in "/usr/local/etc/"   and "identity" file in client machine
> > under the path "/usr/local/etc/"
> Hmm . Fine for host key , but not so common for "identity".
>
> > I have both the client and server certificates certified by intermediate
> > and root authorities, so the bundle, which is the concatenation of both
> > root and intermediate certificate is kept under the path
> > "/usr/local/etc/ca/chain.brt.crt.pem" and updated the path using the
> config
> > variable "CACertificateFile" in sshd_config.
> > Below are the variables I have update in the sshd_config file
> > 1) "HostKey /usr/local/etc/ssh_host_ecdsa_key"
> > 2) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
> > 3) "in "~/.ssh/authorized_keys" file I have the entry
> > *x509v3-ecdsa-sha2-nistp256
> > subject= C = SG, ST = Singapore, L = MacPherson, O = BridgeTek Pte Ltd,
> OU
> > = R&D Software, CN = brtchip-panl001.com <http://brtchip-panl001.com>,
> > emailAddress = srinivasan.r at brtchip.com <srinivasan.r at brtchip.com>*"
> I guess that star(*) is unattended input from mail program.
>
> > 4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"
> > 5 "AllowedCertPurpose sslserver"
> >
> > Similarly in the client side I have below config in
> > /usr/local/etc/ssh_config
> > 1) PubkeyAlgorithms x509v3-ecdsa-sha2-nistp256
> > 2) "IdentityFile /usr/local/etc/ssh_host_ecdsa_key"
> > 3)  "AllowedCertPurpose sslserver"
> > 4) "CACertificateFile /usr/local/etc/ca/chain.brt.crt.pem"
> >
> > With this configurations setup, when I do ssh to the server using "*ssh
> > root at 192.168.6.128 <root at 192.168.6.128>*" it connects with only password
> > authentication why is not picking the certificates automatically.
> Should be due to file permission.
> There are specific requirement for host-key and for identity file.
>
> >
> > Where to see for the debug logs?
>
> good question . it depend from syslogd configuration and sshd
> configuration options  LogLevel and SyslogFacility.
>
> For instance I have
> 1) in syslog.conf
> local3.*                    -/var/log/local3
> 2) in sshd_config
> SyslogFacility LOCAL3
> LogLevel VERBOSE
>
> In such case I could see all messagesin /var/log/local3 . Other
> locations(files) are not so important.
>
>
>
>
> >
> > Please help.
> >
> > Regards,
> > Srini.
>
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list