x509 for hostkeys.
Ed Phillips
ed at UDel.Edu
Fri Feb 1 02:00:40 EST 2002
Quick question... what is $ENV set to in your environment for the "cat"
command or does your shell not do "$" subs within "<<" sections?
Thanks,
Ed
On Thu, 31 Jan 2002, Markus Friedl wrote:
> Date: Thu, 31 Jan 2002 12:09:10 +0100
> From: Markus Friedl <markus at openbsd.org>
> To: openssh at openbsd.org, openssh-unix-dev at mindrot.org
> Subject: x509 for hostkeys.
>
> This (very quick) patch allows you to connect with the commercial
> ssh.com windows client and use x509 certs for hostkeys. You have
> to import your CA cert (ca.crt) in the windows client and certify
> your hostkey:
>
> $ cat << 'EOF' > x509v3.cnf
> CERTPATHLEN = 1
> CERTUSAGE = digitalSignature,keyCertSign
> CERTIP = 0.0.0.0
> [x509v3_CA]
> basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
> keyUsage=$ENV::CERTUSAGE
> [x509v3_IPAddr]
> subjectAltName=IP:$ENV::CERTIP
> [x509v3_DNSName]
> subjectAltName=DNS:$ENV::CERTDNS
> EOF
> $ CERTDNS=myipaddr; export CERTDNS
> $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr
> $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \
> -CAkey ca.key -CAcreateserial \
> -extfile x509v3.cnf -extensions x509v3_DNSName \
> -out HOSTKEY.crt
> $ umask 077
> $ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert
> $ echo HostKey /etc/ssh_host_rsa_key+cert > sshd_config-test
> $ sudo sshd -p 2222 -ddd -f sshd_config-test
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list