Patch Status

C S nd_stew at yahoo.com
Wed Apr 14 05:51:46 EST 2004


When is the x.509 patch going to become part of the
main 
distribution of OpenSSH, and if not, why?  Looks like
other
projects i.e. OpenSC might be using it now as well.

Secondly, thought I'd try it again, new patch
(Validator), same error...



TIA,

cs



########################
# ssh-x509 Unknown Public Key Type
########################
1 Installed OpenSSL-0.9.7d (no customization)
2 Installed OpenSSH-3.8p1 (no customization)
3 Installed Roumen's x509 patch
4 Tested, SSH works fine with Roumen's keys from
ca-test
5 Tested with my keys, failed SEE SSH CLIENT TEST RUN,
noted with "!"
6 Test works once these files are replaced from #4
    ssh_config
    sshd_config
    ssh_host_rsa_key
    ssh_host_rsa_key.pub
    ~/.ssh:  authorized_keys  id_rsa  id_rsa.pub 
known_hosts

Obviously, you'd think it's how I've constructed the
keys, but I can't
find it (see Certificate Prep below).
     
########################
# ssh error message
########################
ssh_x509_verify: verify failed: error:0D09B0A3:asn1
encoding routines:d2i_PublicKey:unknown public key
type
debug3: ssh_x509_verify: return 0
key_verify failed for server_host_key
########################
# sshd server - test run
########################
debug2: read_server_config: filename
/usr/local/etc/sshd_config
debug3: x509rsa sigtype=0
debug2: hash dir '/root/demoCA' added to x509 store
debug2: file '/root/.ssh/ca-bundle.crt' added to x509
store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509
revocation store
debug1: sshd version OpenSSH_3.8p1
debug3: Not a RSA1 key file
/usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key begin
debug1: read X509 certificate done: type RSA+cert
debug1: read PEM private key done: type RSA+cert
debug1: private host key: #0 type 3 RSA+cert
Could not load host key:
/usr/local/etc/ssh_host_dsa_key
socket: Address family not supported by protocol
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
debug1: Server will not fork when running in debugging
mode.
Connection from 127.0.0.1 port 32845
debug1: Client protocol version 2.0; client software
version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: x509v3-sign-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: x509v3-sign-rsa
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug3: call key_type_from_name(x509v3-sign-rsa) ...
debug2: Network child is on pid 30795
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024
8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 533/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 540/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: ssh_x509_sign: key_type=RSA+cert,
key_ssh_name=x509v3-sign-rsa
debug3: ssh_x509_sign: evp_md { 4(md5),
8(md5WithRSAEncryption), 16, ... }
debug3: ssh_x509_sign: return 0
debug3: mm_answer_sign: signature 0x809cdc0(151)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
Connection closed by 127.0.0.1
debug1: do_cleanup
debug1: do_cleanup
########################
# ssh client - test run
########################
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7a
Feb 19 2003
debug1: Reading configuration data
/usr/local/etc/ssh_config
debug3: x509rsa sigtype=0
debug2: hash dir '/root/demoCA' added to x509 store
debug2: file '/root/.ssh/ca-bundle.crt' added to x509
store
debug2: hash dir '/root/.ssh/crl' added to x509
revocation store
debug2: hash dir '/root/demoCA' added to x509 store
debug2: file '/root/.ssh/ca-bundle.crt' added to x509
store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509
revocation store
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2022.
debug1: Connection established.
debug3: key_load_public(/root/.ssh/id_rsa,...)
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug3: call key_type_from_name(-----BEGIN) ...
debug2: key_type_from_name: unknown key type
'-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: call key_type_from_name(-----END) ...
debug2: key_type_from_name: unknown key type
'-----END'
debug3: key_read: missing keytype
debug3: call key_type_from_name(subject=) ...
debug2: key_type_from_name: unknown key type
'subject='
debug3: key_read: missing keytype
debug3: call key_type_from_name(issuer=) ...
debug2: key_type_from_name: unknown key type 'issuer='
debug3: key_read: missing keytype
debug3: call key_type_from_name(<No) ...
debug2: key_type_from_name: unknown key type '<No'
debug3: key_read: missing keytype
debug3: call key_type_from_name(-----BEGIN) ...
debug2: key_type_from_name: unknown key type
'-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: call key_type_from_name(-----END) ...
debug2: key_type_from_name: unknown key type
'-----END'
debug3: key_read: missing keytype
debug3: call key_type_from_name(x509v3-sign-rsa) ...
debug3: x509key_from_subject(3,
[MIIDyTCCAzKgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxETAPBgNVBAoTCEdvb2RyaWNoMQ0wCwYDVQQLEwRob3N0MR8wHQYDVQQDExZjYS5nb29kcmljaC5yb290LmxvY2FsMSowKAYJKoZIhvcNAQkB])
called 
debug3: key_from_blob(..., 973)
debug3: x509key_from_blob:We have 973 bytes available
in BIO
debug3: x509_to_key: X509_get_pubkey done!
debug1: identity file /root/.ssh/id_rsa type 3
debug3: key_load_public(/root/.ssh/id_dsa,...)
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software
version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: x509v3-sign-rsa
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug3: call key_type_from_name(x509v3-sign-rsa) ...
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 524/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: key_from_blob(..., 980)
debug3: x509key_from_blob:We have 980 bytes available
in BIO
debug3: x509_to_key: X509_get_pubkey done!
debug3: check_host_in_hostfile: filename
/root/.ssh/known_hosts
debug3: call key_type_from_name(x509v3-sign-rsa) ...
debug3: x509key_from_subject(3,
[Subject:/C=US/ST=<state>/L=<city>/O=<domain>/OU=host/CN=cms.<domain>.root.local/emailAddress=nd_stew@<domain>.com
]) called 
debug3: x509key_from_subject:
subject=[C=US/ST=<state>/L=<city>/O=<domain>/OU=host/CN=cms.<domain>.root.local/emailAddress=nd_stew@<domain>.com
]
debug3: x509key_str2X509NAME: return 1
debug3: x509key_from_subject: return 0x8097f18
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the
RSA+cert host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 495/1024
debug3: ssh_x509_verify: signature key type =
x509v3-sign-rsa
debug3: ssh_x509_verify: evp_md { 4(md5),
8(md5WithRSAEncryption), 16, ... }
debug3: ssh_x509_verify: evp_md { 64(sha1),
65(sha1WithRSAEncryption), 20, ... }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ssh_x509_verify: verify failed: error:0D09B0A3:asn1
encoding routines:d2i_PublicKey:unknown public key
type
debug3: ssh_x509_verify: return 0
key_verify failed for server_host_key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
########################
# authorized_keys
########################
x509v3-sign-rsa
MIIDyTCCAzKgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxETAPBgNVBAoTCEdvb2RyaWNoMQ0wCwYDVQQLEwRob3N0MR8wHQYDVQQDExZjYS5nb29kcmljaC5yb290LmxvY2FsMSowKAYJKoZIhvcNAQkBFhtjdXJ0aXMuc3Rld2FyZEBnb29kcmljaC5jb20wHhcNMDQwNDEzMTY0NDA3WhcNMDUwNDEzMTY0NDA3WjCBoTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDE5vcnRoIERha290YTESMBAGA1UEBxMJSmFtZXN0b3duMREwDwYDVQQKEwhHb29kcmljaDEPMA0GA1UECxMGcGVyc29uMRcwFQYDVQQDEw5DdXJ0aXMgU3Rld2FyZDEqMCgGCSqGSIb3DQEJARYbY3VydGlzLnN0ZXdhcmRAZ29vZHJpY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdNcXEjE6jb6P6OGry4GtqumPeB+ZDSRCorHtpN1kSLjdX0iBXz4aJNy/n5q1UyfQVRsvO7JorLBgcui2bOc/wxfOK2kHkfuj3ZXnv2W7TJUGmiFT9a7gbfcE0/P4ZFPEivmvItg6MLnODYcmjbQy1LcTfV2ahhJmiov+LCKJ8oQIDAQABo4IBHTCCARkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHqKsI4DK35I5It6znjzQRpGkAK2MIG+BgNVHSMEgbYwgbOAFA5uUvcVYG4kABmgzEnG82tOpmhuoYGXpIGUMIGRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIR29vZHJpY2gxDTALBgNVBAsTBGhvc3QxHz
AdBgNVBAMTFmNhLmdvb2RyaWNoLnJvb3QubG9jYWwxKjAoBgkqhkiG9w0BCQEWG2N1cnRpcy5zdGV3YXJkQGdvb2RyaWNoLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQAz+OYDEx++hIzOgWeUhbfDD7fdHpxJ54IeRl8Dl3GRNxAoxhGxvP4ccK/d/7/esmBPgo0/L/rBaxoNKCfmc4DBFkE4QNLdXIZlFDodoxDEHdqGHjSUlyK2znIHxkkJV+F1p7EurmZ4J2OZkNbgHzaTNeAX4SNE9m6wqg6LL51frA==
########################
# ca-bundle.crt
########################

<domain> CA
===========
MD5
Fingerprint=8E:54:08:CE:54:27:CC:4A:DB:C3:80:AB:CA:5A:08:9C
PEM Data:
-----BEGIN TRUSTED CERTIFICATE-----
MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzER
MA8GA1UEChMIR29vZHJpY2gxDTALBgNVBAsTBGhvc3QxHzAdBgNVBAMTFmNhLmdv
b2RyaWNoLnJvb3QubG9jYWwxKjAoBgkqhkiG9w0BCQEWG2N1cnRpcy5zdGV3YXJk
QGdvb2RyaWNoLmNvbTAeFw0wNDA0MTMxNDM4MjhaFw0xNDA0MTExNDM4MjhaMHwx
CzAJBgNVBAYTAlVTMREwDwYDVQQKEwhHb29kcmljaDENMAsGA1UECxMEaG9zdDEf
MB0GA1UEAxMWY2EuZ29vZHJpY2gucm9vdC5sb2NhbDEqMCgGCSqGSIb3DQEJARYb
Y3VydGlzLnN0ZXdhcmRAZ29vZHJpY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDdgkpVlO54qRDbgmRvj+bEWkJsyNooP1wWVEF6USJQQerjSGLqBpU1
PWSWh/vokN/BtxenFBgZBH4BicTYJiI+REPYyOXSPra4wlTjFb2pmA1rUBNsAS8B
hjFSxBnya2zCxHkGuRIw0scZXSLSWjDVLmrdKpvgbFevTIv5T1t4GQIDAQABo4Ha
MIHXMB0GA1UdDgQWBBQWnZmrclK87p6tILo/bEQ+CM63kzCBpwYDVR0jBIGfMIGc
gBQWnZmrclK87p6tILo/bEQ+CM63k6GBgKR+MHwxCzAJBgNVBAYTAlVTMREwDwYD
VQQKEwhHb29kcmljaDENMAsGA1UECxMEaG9zdDEfMB0GA1UEAxMWY2EuZ29vZHJp
Y2gucm9vdC5sb2NhbDEqMCgGCSqGSIb3DQEJARYbY3VydGlzLnN0ZXdhcmRAZ29v
ZHJpY2guY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAGJDP
fm4V6d9KvUK0f862gF0f0q9Ulg1J+zZJwU2CYjRtAZKcTR9qxIUW2jdRL8LSFULT
pxOBlTfEHj6//xpTVBO5tIkBRob+YHB/IlQhajipXBSMikWTsbIwWWrKZlWUJr1w
wPVtlzHs7OwItKCZ0N+sIfkBSPYfE1Mn1MFqwzQ=
-----END TRUSTED CERTIFICATE-----
Certificate Ingredients:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=<domain>, OU=host,
CN=ca.<domain>.root.local/emailAddress=nd_stew@<domain>.com
        Validity
            Not Before: Apr 13 14:38:28 2004 GMT
            Not After : Apr 11 14:38:28 2014 GMT
        Subject: C=US, O=<domain>, OU=host,
CN=ca.<domain>.root.local/emailAddress=nd_stew@<domain>.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                   
00:dd:82:4a:55:94:ee:78:a9:10:db:82:64:6f:8f:
                   
e6:c4:5a:42:6c:c8:da:28:3f:5c:16:54:41:7a:51:
                   
22:50:41:ea:e3:48:62:ea:06:95:35:3d:64:96:87:
                   
fb:e8:90:df:c1:b7:17:a7:14:18:19:04:7e:01:89:
                   
c4:d8:26:22:3e:44:43:d8:c8:e5:d2:3e:b6:b8:c2:
                   
54:e3:15:bd:a9:98:0d:6b:50:13:6c:01:2f:01:86:
                   
31:52:c4:19:f2:6b:6c:c2:c4:79:06:b9:12:30:d2:
                   
c7:19:5d:22:d2:5a:30:d5:2e:6a:dd:2a:9b:e0:6c:
                    57:af:4c:8b:f9:4f:5b:78:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
               
16:9D:99:AB:72:52:BC:EE:9E:AD:20:BA:3F:6C:44:3E:08:CE:B7:93
            X509v3 Authority Key Identifier: 
               
keyid:16:9D:99:AB:72:52:BC:EE:9E:AD:20:BA:3F:6C:44:3E:08:CE:B7:93
               
DirName:/C=US/O=<domain>/OU=host/CN=ca.<domain>.root.local/emailAddress=nd_stew@<domain>.com
                serial:00

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
       
18:90:cf:7e:6e:15:e9:df:4a:bd:42:b4:7f:ce:b6:80:5d:1f:
       
d2:af:54:96:0d:49:fb:36:49:c1:4d:82:62:34:6d:01:92:9c:
       
4d:1f:6a:c4:85:16:da:37:51:2f:c2:d2:15:42:d3:a7:13:81:
       
95:37:c4:1e:3e:bf:ff:1a:53:54:13:b9:b4:89:01:46:86:fe:
       
60:70:7f:22:54:21:6a:38:a9:5c:14:8c:8a:45:93:b1:b2:30:
       
59:6a:ca:66:55:94:26:bd:70:c0:f5:6d:97:31:ec:ec:ec:08:
       
b4:a0:99:d0:df:ac:21:f9:01:48:f6:1f:13:53:27:d4:c1:6a:
        c3:34
########################
# id_rsa
########################
-----BEGIN RSA PRIVATE KEY-----
MIICWQIBAAKBgQC96K8urOlMIbWdG7kcCMh3aZOgwh4nKUCnSnZmxkx75l+nWauI
zK3ab0/F4h32tu4y5+ba0usJuGfw7+zVDHjLvPXxTuIIzRgE3yb0+FOjjmNDzm0c
Zm74m/kyfyZ7XW3ng/5enj/0/4500M3/noFJT9rCkvhLB6H0MklakpWMqwIBIwKB
gEaJoCdHidpy669iEY4R5A8YletAyV8AsZ046iYsZY0bDZXuGyQuxDswqJn05o7W
Ozd6tNTvQVthwDTrZphGdgHkKwNuypkiCiLTpVHfx8D8OOzsrsFpdvVleXwExVU3
4nrkNleGWWZUkcV5/f2/zm7t5coCMEiWq/4ZDFmApOhbAkEA4h3Lt2QBNrPSbmG3
NtAKaytUBxHapmJeoiQSYF529pgwqDYz1a9eQt9WGXzMuaEh38GI20pWpODiBMXZ
E4rj4wJBANcB4UXSuhNcmZlqnGcHVnwohZjnOQaRQF7JIP4+lR8lMOuEoZnuqp3r
lOUH1n4DJCqukACObAgtF0yJpDhiXpkCQDok6z3JQiQCWq6raaBhYcPJUB8TODlp
wJAX53fdxtGyGyPwrj5DCZwqzP89WTcMLUgqc6Yabg0j4lj/rNkjtvECQG6TQKeQ
8ftUMbydOn4hB+gU1v4txY5ZVE4BCadTYqJNpCFaJzk46ggSwZpbzWVgs4OqO24A
Gk1ZBKsE9V7TgRsCQGiELzVHDgc6j5vK5ns3qJP1sFD2uB3NYJYdstbsiXUEuNjQ
C5/XoXJcVpdaxAwAS/T81//K1s6hKRW8F9Ix0XM=
-----END RSA PRIVATE KEY-----
subject=
/C=US/ST=<state>/L=<city>/O=<domain>/OU=person/CN=Curtis
Steward/emailAddress=nd_stew@<domain>.com
issuer=
/C=US/ST=Some-State/O=<domain>/OU=host/CN=ca.<domain>.root.local/emailAddress=nd_stew@<domain>.com
<No Alias>
-----BEGIN CERTIFICATE-----
MIIDyTCCAzKgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTClNvbWUtU3RhdGUxETAPBgNVBAoTCEdvb2RyaWNoMQ0wCwYDVQQL
EwRob3N0MR8wHQYDVQQDExZjYS5nb29kcmljaC5yb290LmxvY2FsMSowKAYJKoZI
hvcNAQkBFhtjdXJ0aXMuc3Rld2FyZEBnb29kcmljaC5jb20wHhcNMDQwNDEzMTY0
NDA3WhcNMDUwNDEzMTY0NDA3WjCBoTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDE5v
cnRoIERha290YTESMBAGA1UEBxMJSmFtZXN0b3duMREwDwYDVQQKEwhHb29kcmlj
aDEPMA0GA1UECxMGcGVyc29uMRcwFQYDVQQDEw5DdXJ0aXMgU3Rld2FyZDEqMCgG
CSqGSIb3DQEJARYbY3VydGlzLnN0ZXdhcmRAZ29vZHJpY2guY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCdNcXEjE6jb6P6OGry4GtqumPeB+ZDSRCorHtp
N1kSLjdX0iBXz4aJNy/n5q1UyfQVRsvO7JorLBgcui2bOc/wxfOK2kHkfuj3ZXnv
2W7TJUGmiFT9a7gbfcE0/P4ZFPEivmvItg6MLnODYcmjbQy1LcTfV2ahhJmiov+L
CKJ8oQIDAQABo4IBHTCCARkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHqKsI4DK35I5It6
znjzQRpGkAK2MIG+BgNVHSMEgbYwgbOAFA5uUvcVYG4kABmgzEnG82tOpmhuoYGX
pIGUMIGRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UE
ChMIR29vZHJpY2gxDTALBgNVBAsTBGhvc3QxHzAdBgNVBAMTFmNhLmdvb2RyaWNo
LnJvb3QubG9jYWwxKjAoBgkqhkiG9w0BCQEWG2N1cnRpcy5zdGV3YXJkQGdvb2Ry
aWNoLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQAz+OYDEx++hIzOgWeUhbfDD7fd
HpxJ54IeRl8Dl3GRNxAoxhGxvP4ccK/d/7/esmBPgo0/L/rBaxoNKCfmc4DBFkE4
QNLdXIZlFDodoxDEHdqGHjSUlyK2znIHxkkJV+F1p7EurmZ4J2OZkNbgHzaTNeAX
4SNE9m6wqg6LL51frA==
-----END CERTIFICATE-----
########################
# id_rsa.pub
########################
x509v3-sign-rsa
MIIDyTCCAzKgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxETAPBgNVBAoTCEdvb2RyaWNoMQ0wCwYDVQQLEwRob3N0MR8wHQYDVQQDExZjYS5nb29kcmljaC5yb290LmxvY2FsMSowKAYJKoZIhvcNAQkBFhtjdXJ0aXMuc3Rld2FyZEBnb29kcmljaC5jb20wHhcNMDQwNDEzMTY0NDA3WhcNMDUwNDEzMTY0NDA3WjCBoTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDE5vcnRoIERha290YTESMBAGA1UEBxMJSmFtZXN0b3duMREwDwYDVQQKEwhHb29kcmljaDEPMA0GA1UECxMGcGVyc29uMRcwFQYDVQQDEw5DdXJ0aXMgU3Rld2FyZDEqMCgGCSqGSIb3DQEJARYbY3VydGlzLnN0ZXdhcmRAZ29vZHJpY2guY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdNcXEjE6jb6P6OGry4GtqumPeB+ZDSRCorHtpN1kSLjdX0iBXz4aJNy/n5q1UyfQVRsvO7JorLBgcui2bOc/wxfOK2kHkfuj3ZXnv2W7TJUGmiFT9a7gbfcE0/P4ZFPEivmvItg6MLnODYcmjbQy1LcTfV2ahhJmiov+LCKJ8oQIDAQABo4IBHTCCARkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHqKsI4DK35I5It6znjzQRpGkAK2MIG+BgNVHSMEgbYwgbOAFA5uUvcVYG4kABmgzEnG82tOpmhuoYGXpIGUMIGRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIR29vZHJpY2gxDTALBgNVBAsTBGhvc3QxHz
AdBgNVBAMTFmNhLmdvb2RyaWNoLnJvb3QubG9jYWwxKjAoBgkqhkiG9w0BCQEWG2N1cnRpcy5zdGV3YXJkQGdvb2RyaWNoLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQAz+OYDEx++hIzOgWeUhbfDD7fdHpxJ54IeRl8Dl3GRNxAoxhGxvP4ccK/d/7/esmBPgo0/L/rBaxoNKCfmc4DBFkE4QNLdXIZlFDodoxDEHdqGHjSUlyK2znIHxkkJV+F1p7EurmZ4J2OZkNbgHzaTNeAX4SNE9m6wqg6LL51frA==
########################
# known_hosts
########################
localhost x509v3-sign-rsa
Subject:/C=US/ST=<state>/L=<city>/O=<domain>/OU=host/CN=cms.<domain>.root.local/emailAddress=nd_stew@<domain>.com
########################
# sshd_config
########################
#	$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34
markus Exp $

# This is the sshd server system-wide configuration
file.  See
# sshd_config(5) for more information.

# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default
sshd_config shipped with
# OpenSSH is to specify options with their default
value where
# possible, but leave them commented.  Uncommented
options change a
# default value.

Port 2022
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in
/usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts
for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to
no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# Session hooks: if allowed, specify the commands to
execute
#AllowSessionHooks yes
#SessionHookStartupCmd /bin/true
#SessionHookShutdownCmd /bin/true

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via
challenge-response)
# and session processing. Depending on your PAM
configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/local/libexec/sftp-server
X509rsaSigType=md5
#AllowedCertPurpose sslserver
#CACertificateFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crt
CACertificateFile /root/.ssh/ca-bundle.crt
#CACertificatePath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crt
CACertificatePath /root/demoCA
#CARevocationFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crl
#CARevocationPath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crl
########################
# ssh_config
########################
#	$OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31
markus Exp $

# This is the ssh client system-wide configuration
file.  See
# ssh_config(5) for more information.  This file
provides defaults for
# users, and the values can be changed in per-user
configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first
time it is set.
# Thus, host-specific definitions should be at the
beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
ForwardX11 yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
Port 2022
Protocol 2
#   Cipher 3des
#   Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
Compression no
ConnectionAttempts 2
NumberofPasswordPrompts 1
X509rsaSigType=md5
AllowedCertPurpose sslserver
#CACertificateFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crt
CACertificateFile /root/.ssh/ca-bundle.crt
#CACertificatePath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crt
CACertificatePath /root/demoCA
#CARevocationFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crl
#CARevocationPath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crl
#UserCACertificateFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crt
UserCACertificateFile /root/.ssh/ca-bundle.crt
#UserCACertificatePath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crt
UserCACertificatePath /root/demoCA
#UserCARevocationFile
/root/tk/openssh-3.8p1/tests/CA/ca-test/catest-bundle.crl
#UserCARevocationPath
/root/tk/openssh-3.8p1/tests/CA/ca-test/crl
########################
# Certificate Prep
########################
crtPrep()
{

  echo "Preping Host Keys..."
  cd /usr/local/etc                          # Host
Keys
  rm -f id_rsa id_rsa.pub
  ssh-keygen -t rsa -b 1024 -f id_rsa -N ""
  cat id_rsa > ssh_host_rsa_key
  chmod 600 ssh_host_rsa_key
  openssl x509 -in
$HOME/.ws/cms.<domain>.root.local.crt \
    -subject -issuer -alias >> ssh_host_rsa_key
  ssh-keygen -y -f ssh_host_rsa_key >
ssh_host_rsa_key.pub 

  echo "Preping User Keys..."
  mkdir $HOME/.ssh >/dev/null 2>&1
  cd $HOME/.ssh                              # User
Keys
  rm -f known_hosts
  rm -f id_rsa id_rsa.pub
  ssh-keygen -t rsa -b 1024 -f id_rsa -N ""
  openssl x509 -in $HOME/.ws/work_priv.crt \
    -subject -issuer -alias >> id_rsa
  ssh-keygen -y -f id_rsa > id_rsa.pub
  cp -p id_rsa.pub authorized_keys

  echo "Preping CA Certs..."
                                             # CA
Certs
  echo "" > ca-bundle.crt
  echo "<domain> CA" >> ca-bundle.crt
  echo "===========" >> ca-bundle.crt
  openssl x509 -in /usr/local/ca/cacert.pem  \
    -noout -fingerprint >> ca-bundle.crt
  echo "PEM Data:" >> ca-bundle.crt
  openssl x509 -in /usr/local/ca/cacert.pem  \
    -trustout >> ca-bundle.crt
  echo "Certificate Ingredients:" >> ca-bundle.crt
  openssl x509 -in /usr/local/ca/cacert.pem  \
    -noout -text >> ca-bundle.crt
}

crtPrep

exit 0



	
		
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html




More information about the openssh-unix-dev mailing list