[ssh_x509] x509v3-ssh-rsa hostkey algorithm on Cisco IOS XE

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Feb 23 11:53:04 EET 2020


ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> [SNIP]
>
>>>> This is due to inherited functionality from ssh.com, then openssh and
>>>> then pkis-ssh: pub-format or DN (new). DER or PEM encoded X.509
>>>> certificate is not supported directly yet.
>>> Yeah, noted that. Do you have any plans to integrate such functionality
>>> into PKIX-SSH?
>> Low priority.  Note the word directly!
> Ok, good to know :) To be clear here, I have no objection to use pubkey to
> identify CA - for ssh-rsa-cert-v01 hostkey algorithm does exactly this and
> it's just fine. The only thing I'm concerned with is to make it to work.
>
>> Actually know host and authorized keys support  3 formats:
>> 1) X.509 certificate blob
>> ... x509v3-sign-dss MIIIMDCCB5mgAwIBAgIJIAQCFgkGAAARMA0.......
> Can you provide more info on that? Earlier you wrote "DER or PEM encoded
> X.509 certificate is not supported directly yet."
[SNIP]
Not supported directly in context of authorised keys or known host files.
Those files are text based and record is on a single text line, DER is 
binary format , PEM is multiline text.
By direct support I mean core to read DER or PEM data when is processed 
information related to authorised keys or known host.

For instance current format of records could be changed instead base64 
encoded data to use reference (URI).

Another solution is support of authorised keys or known host 
directories. Patches in this area are welcome.


Indirectly - after conversion using openssl, base64 and ssh-keygen 
utilities user could construct record (line) in current format. No code 
modification.
And this was in "hints" from my previous email.



> ---
> Sergei Fomin
Regards,
Roumen Petrov



More information about the ssh_x509 mailing list