[ssh_x509] x509v3-rsa2048-sha256 algorithm support in PKISSH-10.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Sep 10 20:48:29 EEST 2019


Hi Roumen,
Did you get a chance to look at this?

Thanks & Regards
Mohit Gupta

On Mon, 9 Sep 2019, 19:22 , <ssh_x509 at roumenpetrov.info> wrote:

> Hi Roumen,
> Precisely, even x509v3-ssh-rsa algorithm is not working which used to work
> with same configuration.
> PFA the SSH server side debug logs.
>
> Thanks & Regards
> Mohit Gupta
>
> On Mon, Sep 9, 2019 at 5:18 PM <ssh_x509 at roumenpetrov.info> wrote:
>
> > Hi Roumen,
> > Thanks for sharing the commit link. I tried applying the changes in
> > PKISSH10.2 but it is not working as expected.
> > I even taken care of the comments that you provided above about
> > Xkey_algoriths function in ssh-x509.c.
> >
> > Please find attached SSH server side logs for more details.
> >
> > debug1: userauth_send_motd_banner: MOTD sent
> > debug1: userauth_send_motd_banner:
> > debug2: input_userauth_request: try method none
> > Failed none for mkgupta from 134.141.188.75 port 61633 ssh2
> > debug3: userauth_finish: failure partial=0 next methods="publickey"
> > debug3: send packet: type 51
> > debug3: receive packet: type 50
> > debug1: userauth-request for user mkgupta service ssh-connection method
> > publickey
> > debug1: attempt 1 failures 0
> > debug2: input_userauth_request: try method publickey
> > debug1: password:(null)
> >
> > debug1: sshpam_tty_conv enter
> >
> > debug1: sshpam_tty_conv prompt echo
> >
> > debug1: After pam authenticate sshpam_err :19,
> > sshpampasswd:(null),authctxt->valid:1
> >
> > debug1: PAM: password authentication failed for mkgupta: Conversation
> error
> > debug3: Xkey_from_blob() pkalg='x509v3-ssh-rsa', blen=2804
> > debug3: X509key_from_buf2_common: certificate-count: 2
> > debug3: X509key_from_buf2_common: certificate[0]=0x563c605d54d0
> > debug3: x509_to_key: X509_get_pubkey done!
> > userauth_pubkey: cannot decode key: x509v3-ssh-rsa
> > debug2: userauth_pubkey: authenticated 0 pkalg x509v3-ssh-rsa
> > Failed publickey for mkgupta from 134.141.188.75 port 61633 ssh2
> > debug3: userauth_finish: failure partial=0 next methods="publickey"
> > debug3: send packet: type 51
> > debug3: receive packet: type 1
> > Received disconnect from 134.141.188.75 port 61633:11: No supported
> > authentication methods available
> > Disconnected from authenticating user mkgupta 134.141.188.75 port 61633
> > debug1: do_cleanup
> > debug1: PAM: cleanup
> > debug3: PAM: sshpam_thread_cleanup entering
> >
> > Thanks & Regards
> > Mohit Gupta
> >
> > On Tue, Sep 3, 2019 at 9:03 PM <ssh_x509 at roumenpetrov.info> wrote:
> >
> > > Hello,
> > >
> > > ssh_x509 at roumenpetrov.info wrote:
> > > > Hi Roumen,
> > > > As per our discussion in the previous email, I got to know that
> > > > x509v3-rsa2048-sha256 algorithm support is added in PKISSH-12.1 which
> > has
> > > > OpenSSH-8.0p1 version.
> > > > We are using PKISSH-10.2 which has OpenSSH-7.5p1 version and would
> like
> > > you
> > > > to use the same version for now. But we would also like to have
> > > > x509v3-rsa2048-sha256 algorithm support in the same version. Kindly
> let
> > > me
> > > > know if x509v3-rsa2048-sha256 algorithm support can be patched back
> in
> > > > PKISSH-10.2 release or not. If Yes, kindly provide us with the
> changes
> > so
> > > > that we can patch the same in PKISSH-10.2.
> > >
> > >
> > > This is the commit -
> > >
> > >
> >
> https://gitlab.com/secsh/pkixssh/commit/d051dfbc1d680f109287204a83ac996334d36c87
> > > ( plain
> > >
> > >
> >
> https://gitlab.com/secsh/pkixssh/commit/d051dfbc1d680f109287204a83ac996334d36c87.diff
> > > ) .
> > > For sure patch will fail for non-significant modification like .Dd
> > > $Mdocdate: June 14 2019 $ , i.e. patch fail on manual pages.
> > >
> > > Another fail is in ssh-x509.c function Xkey_algoriths. It is save to
> > > ignore as is related to "multi-algorithm host-keys" functionality from
> > > 11.0.
> > >
> > >
> > > > Thanks & Regards
> > > > Mohit Gupta
> > >
> > > Regards,
> > > Roumen Petrov
> > >
> > >
> > > _______________________________________________
> > > ssh_x509 mailing list
> > > ssh_x509 at roumenpetrov.info
> > > http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> > >
> > _______________________________________________
> > ssh_x509 mailing list
> > ssh_x509 at roumenpetrov.info
> > http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> >
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>


More information about the ssh_x509 mailing list