Openssh + x509 patch problem
Jorge Abrines
curruscataphractus at gmail.com
Thu Feb 14 20:21:19 EST 2008
Hi Roumen,
Many thanks for your fast answer. I've checked your suggestions (HostKey
was on sshd_config, finally) and only changed authorized_keys to contain
client id_rsa.pub and it worked!!. Don't know what I was doing wrong,
I'll try to build things again to see what went wrong (I'll bet
authorized_keys stuff). Thank you very much again.
Best regards,
Jorge
Roumen Petrov wrote:
> Jorge Abrines wrote:
>> Hi all,
>>
>> I'm trying to install ssh server based on x509 certificates with no
>> result. What I've done is the following:
>> - Build openssh4.7p1 after patching with
>> openssh-4.7p1+x509-6.1.diff.gz without error using ./configure
>> --prefix=/opt/ssh && make && make install in both server and client
>> machines
>>
>> - Create minimal openssl ca structure under /opt/ssh/etc/ca
>> ( self signed CA certificate, server certificate signed by CA,
>> client certificate signed by CA ).
>> I now have certificates cacert.pem, server.pem and client.pem and
>> keys for all three
>>
>> - Build server host id using (under /opt/ssh/etc):
>> cat server-key.pem > ssh_host_key_cert
>> cat server.pem >> ssh_host_key_cert
>> chmod 0600 ssh_host_key_cert
>> ../bin/ssh-keygen -y > ssh_host_key_cert.pub
>> // entering ssh_host_key_cert as key
>>
> i.e. HostKey /opt/ssh/etc/ssh_host_key_cert is in sshd_config ?
>
>> - Changing /opt/ssh/etc/sshd_config:
>> CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem
>> Port 4422
>> X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
>> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
>> AllowedCertPurpose sslclient
>> PasswordAuthentication no
>>
> Fine but I assume that rest is left to default.
>
>> - Customizing server user configuration
>>
>> cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys
>>
> Why ?
> Append client public part in authorized keys.
>> - Now __On client machine__ (after copying, client.pem, client-key.pem
>> and cacert.pem)
>>
>> - Build identity
>> - cat ~/.ssh/client-key.pem > /.ssh/id_rsa
>> - cat ~/.ssh/client.pem >> ~/.ssh/id_rsa
>> - chmod 0600 ~/.ssh/id_rsa
>> - /opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub
>> // entering ~/.ssh/id_rsa as key
>>
>
> Copy id_rsa.pub to server and append to authorized keys file.
>
>> - Introducing following changes into /opt/ssh/etc/ssh_config
>> Port 4422
>> IdentityFile ~/.ssh/id_rsa
>> UserCACertificateFile ~/.ssh/cacert.pem
>> UserCACertificatePath ~/.ssh/crt
>> UserCARevocationFile ~/.ssh/ca-bundle.crl
>> UserCARevocationPath ~/.ssh/crl
>>
>>
>> Finally lauching sshd on server with
>> command:
>>
>> /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d
>>
>> And client with:
>> /opt/ssh/bin/ssh-agent
>> /opt/ssh/bin/ssh-add
>> /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d \
>> myuser at myserver
>>
>> Which output is:
>>
>> The authenticity of host '[myserver]:4422 ([192.168.0.201]:4422)'
>> can't be established.
>> RSA+cert key fingerprint is
>> 4c:3a:1b:2d:40:23:1d:99:aa:d2:eb:b3:28:8c:d2:d4.
>> Distinguished name is 'C=ES,ST=Madrid,O=blub,CN=Server'.
>> Are you sure you want to continue connecting (yes/no)? yes
>>
>> But I get 'Permission denied (publickey,keyboard-interactive)' error.
>> I've sshd and ssh outputs but are quite long, I'll append them if
>> above configuration seems ok.
>>
>> Many thanks in advance.
>>
>> Best regards,
>>
>> Jorge
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>
>
> Roumen
>
More information about the openssh-unix-dev
mailing list