Openssh + x509 patch problem

Jorge Abrines curruscataphractus at gmail.com
Thu Feb 14 05:34:32 EST 2008 

Hi all,

I'm trying to install ssh server based on x509 certificates with no 
result. What I've done is the following:
- Build openssh4.7p1 after patching with openssh-4.7p1+x509-6.1.diff.gz 
without error using ./configure --prefix=/opt/ssh && make && make 
install in both server and client machines

-  Create minimal openssl ca structure under /opt/ssh/etc/ca
    ( self signed CA certificate, server certificate signed by CA, 
client certificate signed by CA ).
    I now have certificates cacert.pem, server.pem and client.pem and 
keys for all three

- Build server host id using (under /opt/ssh/etc):
    cat server-key.pem > ssh_host_key_cert
    cat server.pem >> ssh_host_key_cert
    chmod 0600 ssh_host_key_cert
    ../bin/ssh-keygen -y > ssh_host_key_cert.pub
    // entering ssh_host_key_cert as key

- Changing /opt/ssh/etc/sshd_config:
      CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem
    Port 4422
    X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
    X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
    AllowedCertPurpose sslclient
    PasswordAuthentication no

- Customizing server user configuration

      cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys

- Now __On client machine__ (after copying, client.pem, client-key.pem 
and cacert.pem)

    - Build identity
        -  cat ~/.ssh/client-key.pem > /.ssh/id_rsa
        -  cat ~/.ssh/client.pem >> ~/.ssh/id_rsa
        - chmod 0600 ~/.ssh/id_rsa
        - /opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub
        // entering ~/.ssh/id_rsa as key
    - Introducing following changes into /opt/ssh/etc/ssh_config
        Port 4422
        IdentityFile ~/.ssh/id_rsa
        UserCACertificateFile ~/.ssh/cacert.pem
        UserCACertificatePath ~/.ssh/crt
        UserCARevocationFile ~/.ssh/ca-bundle.crl
        UserCARevocationPath ~/.ssh/crl


Finally lauching sshd on server with
command:

    /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d

And client with:
    /opt/ssh/bin/ssh-agent
    /opt/ssh/bin/ssh-add
    /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d \ 
myuser at myserver

Which output is:

The authenticity of host '[myserver]:4422 ([192.168.0.201]:4422)' can't 
be established.
RSA+cert key fingerprint is 
4c:3a:1b:2d:40:23:1d:99:aa:d2:eb:b3:28:8c:d2:d4.
Distinguished name is 'C=ES,ST=Madrid,O=blub,CN=Server'.
Are you sure you want to continue connecting (yes/no)? yes

But I get 'Permission denied (publickey,keyboard-interactive)' error. 
I've sshd and ssh outputs but are quite long, I'll append them if
above configuration seems ok.

Many thanks in advance.

Best regards,

Jorge

More information about the openssh-unix-dev mailing list