x509 for hostkeys.

Ed Phillips ed at UDel.Edu
Thu Feb 21 06:08:15 EST 2002

On Wed, 20 Feb 2002, Frank Cusack wrote:

> Date: Wed, 20 Feb 2002 09:24:11 -0800
> From: Frank Cusack <fcusack at fcusack.com>
> To: Ed Phillips <ed at UDel.Edu>
> Cc: OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: x509 for hostkeys.
> On Wed, Feb 20, 2002 at 09:21:45AM -0500, Ed Phillips wrote:
> > Well, I succesfully got the patched version working, but as it turns out,
> > we don't have the "commercial" version of the SSH.COM software here at
> > UD... and the free-for-non-commercial-use client doesn't support PKI.
> >
> > Maybe at some point I'll get time to implement the client bits in
> > OpenSSH... but until then, I won't be able to test the X.509 hostkey
> > patch.
> If you are unable to test it how do you know you got it working?
> Do you mean you got it patched and compiling successfully?

Working, in the sense that I successfully compiled the patched code (after
a crucial change from Markus), and the resulting sshd seems to load the
host key+cert and send it out to a client properly... but I can't complete
the test because I don't have the "commercial" SSH.COM client that
supports PKI.

> Can you post an updated patch (if it's different than your original
> one)?

It's the original patch submitted by Markus, and the one-line change that
he submitted to the list last week.  You should probably check the list
archives for the relevent posts if you want to try out the patch.  If you
apply the original patch that Markus posted, and then change line 741 of
key.c to:

			buffer_append_space(&b, &buf, len);

... you should be able to get it to compile at least.  Then you need to
create a CA keypair, and follow Markus' instructions for making a hostkey
certificate and installing it for the test.

I'd post a new version of Markus' patch, but everyone seems to want a
"unified diff" and Sol8 /usr/bin/diff doesn't seem to do that...


Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list