[ssh_x509] x509v3-rsa2048-sha256 algorithm support in PKISSH-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Sep 9 16:51:50 EEST 2019


Hi Roumen,
Precisely, even x509v3-ssh-rsa algorithm is not working which used to work
with same configuration.
PFA the SSH server side debug logs.

Thanks & Regards
Mohit Gupta

On Mon, Sep 9, 2019 at 5:18 PM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Roumen,
> Thanks for sharing the commit link. I tried applying the changes in
> PKISSH10.2 but it is not working as expected.
> I even taken care of the comments that you provided above about
> Xkey_algoriths function in ssh-x509.c.
>
> Please find attached SSH server side logs for more details.
>
> debug1: userauth_send_motd_banner: MOTD sent
> debug1: userauth_send_motd_banner:
> debug2: input_userauth_request: try method none
> Failed none for mkgupta from 134.141.188.75 port 61633 ssh2
> debug3: userauth_finish: failure partial=0 next methods="publickey"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user mkgupta service ssh-connection method
> publickey
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method publickey
> debug1: password:(null)
>
> debug1: sshpam_tty_conv enter
>
> debug1: sshpam_tty_conv prompt echo
>
> debug1: After pam authenticate sshpam_err :19,
> sshpampasswd:(null),authctxt->valid:1
>
> debug1: PAM: password authentication failed for mkgupta: Conversation error
> debug3: Xkey_from_blob() pkalg='x509v3-ssh-rsa', blen=2804
> debug3: X509key_from_buf2_common: certificate-count: 2
> debug3: X509key_from_buf2_common: certificate[0]=0x563c605d54d0
> debug3: x509_to_key: X509_get_pubkey done!
> userauth_pubkey: cannot decode key: x509v3-ssh-rsa
> debug2: userauth_pubkey: authenticated 0 pkalg x509v3-ssh-rsa
> Failed publickey for mkgupta from 134.141.188.75 port 61633 ssh2
> debug3: userauth_finish: failure partial=0 next methods="publickey"
> debug3: send packet: type 51
> debug3: receive packet: type 1
> Received disconnect from 134.141.188.75 port 61633:11: No supported
> authentication methods available
> Disconnected from authenticating user mkgupta 134.141.188.75 port 61633
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
>
> Thanks & Regards
> Mohit Gupta
>
> On Tue, Sep 3, 2019 at 9:03 PM <ssh_x509 at roumenpetrov.info> wrote:
>
> > Hello,
> >
> > ssh_x509 at roumenpetrov.info wrote:
> > > Hi Roumen,
> > > As per our discussion in the previous email, I got to know that
> > > x509v3-rsa2048-sha256 algorithm support is added in PKISSH-12.1 which
> has
> > > OpenSSH-8.0p1 version.
> > > We are using PKISSH-10.2 which has OpenSSH-7.5p1 version and would like
> > you
> > > to use the same version for now. But we would also like to have
> > > x509v3-rsa2048-sha256 algorithm support in the same version. Kindly let
> > me
> > > know if x509v3-rsa2048-sha256 algorithm support can be patched back in
> > > PKISSH-10.2 release or not. If Yes, kindly provide us with the changes
> so
> > > that we can patch the same in PKISSH-10.2.
> >
> >
> > This is the commit -
> >
> >
> https://gitlab.com/secsh/pkixssh/commit/d051dfbc1d680f109287204a83ac996334d36c87
> > ( plain
> >
> >
> https://gitlab.com/secsh/pkixssh/commit/d051dfbc1d680f109287204a83ac996334d36c87.diff
> > ) .
> > For sure patch will fail for non-significant modification like .Dd
> > $Mdocdate: June 14 2019 $ , i.e. patch fail on manual pages.
> >
> > Another fail is in ssh-x509.c function Xkey_algoriths. It is save to
> > ignore as is related to "multi-algorithm host-keys" functionality from
> > 11.0.
> >
> >
> > > Thanks & Regards
> > > Mohit Gupta
> >
> > Regards,
> > Roumen Petrov
> >
> >
> > _______________________________________________
> > ssh_x509 mailing list
> > ssh_x509 at roumenpetrov.info
> > http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> >
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>
-------------- next part --------------
/usr/sbin/sshd -ddd -p 5000
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 767
debug2: parse_server_config: config /etc/ssh/sshd_config len 767
debug3: /etc/ssh/sshd_config:13 setting Port 22
debug3: /etc/ssh/sshd_config:14 setting Port 830
debug3: /etc/ssh/sshd_config:15 setting Protocol 2
debug3: /etc/ssh/sshd_config:20 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:21 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:22 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:33 setting LoginGraceTime 60
debug3: /etc/ssh/sshd_config:34 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:37 setting MaxSessions 1
debug3: /etc/ssh/sshd_config:56 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:63 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:84 setting UsePAM yes
debug3: /etc/ssh/sshd_config:87 setting AllowTcpForwarding no
debug3: /etc/ssh/sshd_config:99 setting ClientAliveInterval 30
debug3: /etc/ssh/sshd_config:100 setting ClientAliveCountMax 4
debug3: /etc/ssh/sshd_config:104 setting AllowedLogin admin
debug3: /etc/ssh/sshd_config:113 setting Subsystem sftp /usr/libexec/sftp-server
debug3: /etc/ssh/sshd_config:114 setting Subsystem netconf /usr/confd/bin/confd_netconf_subsys
debug3: /etc/ssh/sshd_config:123 setting X509KeyAlgorithm x509v3-ssh-rsa,rsa-sha1,ssh-rsa
debug3: /etc/ssh/sshd_config:124 setting X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
debug3: /etc/ssh/sshd_config:125 setting X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
debug3: /etc/ssh/sshd_config:127 setting HostKey /etc/ssh/ssh_host_x509_rsa_key
debug3: /etc/ssh/sshd_config:128 setting CACertificateFile /etc/fabos/certs/sshx509v3/bundle.cert.pem
debug2: hash dir '/etc/ssh/ca/crt' added to x509 store
debug2: file '/etc/fabos/certs/sshx509v3/bundle.cert.pem' added to x509 store
debug2: hash dir '/etc/ssh/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug1: annonced algorithms: x509v3-ssh-rsa,x509v3-sign-rsa,ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: annonced signatures: ssh-rsa,x509v3-sign-rsa,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: sshd version PKIX-SSH 10.2, OpenSSH_7.5p1, OpenSSL 1.0.2p-fips  14 Aug 2018
debug3: sshkey_load_private() filename=/etc/ssh/ssh_host_rsa_key
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_parse_cert: PEM_read_X509 fail error:0906D06C:lib(9):func(109):reason(108)
debug3: sshkey_load_public() filename=/etc/ssh/ssh_host_rsa_key
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: private host key #0: ssh-rsa SHA256:atfUcNvtjAqVo03I/nFL957g5Jt3Fgeo1caS6iHOfXA
debug3: sshkey_load_private() filename=/etc/ssh/ssh_host_dsa_key
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_parse_cert: PEM_read_X509 fail error:0D0680A8:lib(13):func(104):reason(168)
debug3: sshkey_load_public() filename=/etc/ssh/ssh_host_dsa_key
debug3: key_from_blob(..., ...) ktype=ssh-dss
debug1: private host key #1: ssh-dss SHA256:C0mRCRe8CMZ19DfXEG8HxDvva9hoIP7SyYVOInLXxn8
debug3: sshkey_load_private() filename=/etc/ssh/ssh_host_ecdsa_key
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_parse_cert: PEM_read_X509 fail error:0D0680A8:lib(13):func(104):reason(168)
debug3: sshkey_load_public() filename=/etc/ssh/ssh_host_ecdsa_key
debug3: key_from_blob(..., ...) ktype=ecdsa-sha2-nistp256
debug3: key_from_blob(..., ...) ktype/nid=ecdsa-sha2-nistp256 / 415
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:p4d6VOgkKDBqmvMLAlFQhEamtVlCx5J7GdJ/7YS5hf0
debug3: sshkey_load_private() filename=/etc/ssh/ssh_host_x509_rsa_key
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: ssh_build_certchain_cb: subject='C=IN,ST=KA,L=Bangalore,O=Extreme,OU=Engg,CN=EMIS http Root CA'
debug3: ssh_build_certchain_cb: subject='C=IN,ST=KA,L=Bangalore,O=Extreme,OU=Engg,CN=10.24.12.122'
debug1: read X.509 certificate done: type RSA+cert
debug3: sshkey_load_public() filename=/etc/ssh/ssh_host_x509_rsa_key
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: private host key #3: ssh-rsa SHA256:BtjeRoJRl5u5wUKeaWXLWGETe4iBsXf8B19yrLVHHHU
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='5000'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 5000 on 0.0.0.0.
Server listening on 0.0.0.0 port 5000.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 5000 on ::.
Server listening on :: port 5000.





















debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 767
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 134.141.245.179 port 57008 on 10.24.12.122 port 5000
debug1: Client protocol version 2.0; client software version Pragma FortressCL 5.0.10.1696
debug1: no match: Pragma FortressCL 5.0.10.1696
debug1: x.509 compatibility rfc6187_missing_key_identifier=no: pattern '*' match 'Pragma FortressCL 5.0.10.1696'
debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=no: pattern '*' match 'Pragma FortressCL 5.0.10.1696'
debug1: x.509 compatibility broken list with accepted publickey algorithms=no: pattern '*' match 'Pragma FortressCL 5.0.10.1696'
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5 PKIX[10.2]
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,x509v3-ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,x509v3-ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctraes128-gcm,aes192-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctraes128-gcm,aes192-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos: hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: x509v3-ssh-rsa,x509v3-sign-rsa,ssh-rsa,ssh-dss
debug2: ciphers ctos: chacha20-poly1305 at openssh.com,AEAD_AES_256_GCM,aes256-gcm at openssh.com,aes256-ctr,aes256-cbc,aes192-gcm at openssh.com,aes192-ctr,aes192-cbc,AEAD_AES_128_GCM,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305 at openssh.com,AEAD_AES_256_GCM,aes256-gcm at openssh.com,aes256-ctr,aes256-cbc,aes192-gcm at openssh.com,aes192-ctr,aes192-cbc,AEAD_AES_128_GCM,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc
debug2: MACs ctos: AEAD_AES_256_GCM,AEAD_AES_128_GCM,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
debug2: MACs stoc: AEAD_AES_256_GCM,AEAD_AES_128_GCM,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
debug2: compression ctos: none,zlib,none
debug2: compression stoc: none,zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: x509v3-ssh-rsa
debug1: kex: client->server cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none
debug2: bits set: 1051/2048
debug1: expecting SSH2_MSG_KEXDH_INIT
debug3: receive packet: type 30
debug2: bits set: 1053/2048
debug3: ssh_x509_sign: key alg/type/name: x509v3-ssh-rsa/RSA+cert/x509v3-ssh-rsa
debug3: ssh_x509_sign: compatibility: { 0x00000000, 0x00000000 }
debug3: ssh_x509_sign: alg=x509v3-ssh-rsa, md=rsa-sha1
debug3: ssh_x509_EVP_PKEY_sign: keylen=256, siglen=256
debug3: ssh_x509_sign: signame=ssh-rsa
debug3: ssh_x509_sign: return 0
debug3: send packet: type 31
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug1: KEX done
debug3: receive packet: type 5
debug3: send packet: type 6
debug3: receive packet: type 50
debug1: userauth-request for user mkgupta service ssh-connection method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 767
getpwnamallow returns authctxt->pw:\240Z\246\345\275U
debug2: input_userauth_request: setting up authctxt for mkgupta
debug1: PAM: initializing for "mkgupta"
debug1: ***** PAM service name "134.141.245.179"
debug1: PAM: setting PAM_RHOST to "134.141.245.179"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth_send_motd_banner:
debug2: input_userauth_request: try method none
Failed none for mkgupta from 134.141.245.179 port 57008 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,password"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user mkgupta service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: password:(null)

debug1: sshpam_tty_conv enter

debug1: sshpam_tty_conv prompt echo

debug1: After pam authenticate sshpam_err :19, sshpampasswd:(null),authctxt->valid:1

debug1: PAM: password authentication failed for mkgupta: Conversation error
debug3: Xkey_from_blob() pkalg='x509v3-ssh-rsa', blen=2804
debug3: X509key_from_buf2_common: certificate-count: 2
debug3: X509key_from_buf2_common: certificate[0]=0x55bde5a681a0
debug3: x509_to_key: X509_get_pubkey done!
userauth_pubkey: cannot decode key: x509v3-ssh-rsa
debug2: userauth_pubkey: authenticated 0 pkalg x509v3-ssh-rsa
Failed publickey for mkgupta from 134.141.245.179 port 57008 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,password"
debug3: send packet: type 51
debug3: receive packet: type 1
Received disconnect from 134.141.245.179 port 57008:11: No supported authentication methods available
Disconnected from authenticating user mkgupta 134.141.245.179 port 57008
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering


More information about the ssh_x509 mailing list