OpenSSH and X.509 Certificate Support

sankalp_karpe sankalp_karpe at persistent.co.in
Thu Feb 21 23:43:10 EST 2008 

Hi Roumen,

I could successfully add X.509 Certificate support to OpenSSH.
Earlier, the error I was facing was with "ssh-add": unable to open a 
connection to your authentication agent.

I found some help on 
"http://funkaoshi.com/blog/could-not-open-a-connection-to-your-authentication-agent" 
with which I could resolve the same.

Here is the entire step by step procedure that I followed to add X.509 
certificate support to OpenSSH (implemented for "root" login on both the 
machines)
Could you please confirm and suggest changes required if any.

(1) Download OpenSSH-4.7p1 from: 
http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/portable/

(2) Download x.509 patch for this version from: 
http://roumenpetrov.info/openssh/download.html

(3) Patch the OpenSSH source with this patch and install it on both 
Server and Client machines (./configure --prefix=/opt/ssh && make && 
make install)

Now on the Server machine perform the following:

(4) Gnereate the ca, server, client certificates using the following 
procedure:

mkdir certs && cd certs

CA certificate generation
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -nodes -days 50000 -key ca-key.pem -out cacert.pem
Answer questions with appropriate data.
Openssl commands generate a 2048 bit key and a certificate valid for a 
fifty thousand day period.

Server certificate generation
openssl req -newkey rsa:2048 -days 50000 -nodes -keyout server-key.pem 
-out server-req.pem
openssl x509 -req -in server-req.pem -days 50000 -CA cacert.pem -CAkey 
ca-key.pem -set_serial 01 -out server.pem

Client certificate generation
openssl req -newkey rsa:2048 -days 50000 -nodes -keyout client-key.pem 
-out client-req.pem
openssl x509 -req -in client-req.pem -days 50000 -CA cacert.pem -CAkey 
ca-key.pem -set_serial 01 -out client.pem

(5) Copy the generated certificates under /opt/ssh/etc/ca

(6) Build server host id using (cd to /opt/ssh/etc):

cat ca/server-key.pem > ssh_host_key_cert
cat ca/server.pem >> ssh_host_key_cert
chmod 0600 ssh_host_key_cert
../bin/ssh-keygen -y > ssh_host_key_cert.pub
// entering 'ssh_host_key_cert' as key when prompted

(7) Add the following directives in /opt/ssh/etc/sshd_config

HostKey /opt/ssh/etc/ssh_host_key_cert
CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem
Port 22
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
AllowedCertPurpose sslclient
PasswordAuthentication no


Now on client machine perform the following:

(8) under /root/.ssh/, copy client.pem, client-key.pem and cacert.pem 
from the Server

Build identity,

As root, execute the following commands:

cat ~/.ssh/client-key.pem > ~/.ssh/id_rsa
cat ~/.ssh/client.pem >> ~/.ssh/id_rsa
chmod 0600 ~/.ssh/id_rsa
/opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub
// entering ~/.ssh/id_rsa as key when prompted


(9) Introduce following changes in /opt/ssh/etc/ssh_config:

Port 22
IdentityFile ~/.ssh/id_rsa
UserCACertificateFile ~/.ssh/cacert.pem

(10) Copy /root/.ssh/id_rsa.pub from the Client to the Server (/root/) 
and append to authorized keys file.

cat /root/id_rsa.pub >> ~/.ssh/authorized_keys

(11) Finally launch sshd on Server with either of the following commands:

/opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d

- to view the debug messages

OR

/opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config

- to run the daemon in background

(11) On the Client execute the following commands:
/opt/ssh/bin/ssh-agent
eval `/opt/ssh/bin/ssh-add`
/opt/ssh/bin/ssh-add

(12) ssh to the Server machine from the Client,

Here is the output that we see:

[root at localhost ~]# /opt/ssh/bin/ssh root at 10.244.8.83
The authenticity of host '10.244.8.83 (10.244.8.83)' can't be established.
RSA+cert key fingerprint is 6d:15:9f:26:fe:5c:16:4f:5e:80:12:80:54:cb:49:56.
Distinguished name is 
'C=IN,ST=GOA,L=GOA,O=PSL,OU=VLSI,CN=10.244.8.83,emailAddre                                                                             
ss=joviserver at jovi.com'.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.244.8.83' (RSA+cert) to the list of known 
hosts.
Last login: Mon Jan 21 21:09:28 2008 from 10.244.8.167
debug1: permanently_set_uid: 0/0
Environment:
  USER=root
  LOGNAME=root
  HOME=/root
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
  MAIL=/var/mail/root
  SHELL=/bin/bash
  SSH_CLIENT=10.244.8.167 41513 22
  SSH_CONNECTION=10.244.8.167 41513 10.244.8.83 22
  SSH_TTY=/dev/pts/2
  TERM=xterm
debug3: channel 0: close_fds r -1 w -1 e -1 c -1
[root at localhost ~]#


*ISSUES faced:*

The following commands did not execute and gave errors:

(a) /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d 
myuser at myserver

OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
ssh: illegal option -- d
usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-i identity_file] [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-w local_tun[:remote_tun]] [user@]hostname [command]


(b) /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config myuser at myserver

OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /opt/ssh//etc/ssh_config
debug2: hash dir '/root/.ssh/crt' added to x509 store
debug2: file '/root/.ssh/ca-cert.pem' added to x509 store
debug2: hash dir '/root/.ssh/crl' added to x509 revocation store
debug2: hash dir '/opt/ssh//etc/ca/crt' added to x509 store
debug2: hash dir '/opt/ssh//etc/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug2: ssh_connect: needpriv 0
ssh: /opt/ssh/etc/ssh_config: Name or service not known


Thanks,
Sankalp



Roumen Petrov wrote:

>sankalp_karpe wrote:
>  
>
>>Hi,
>>
>>I need to add X.509 Certificate support to OpenSSH.
>>
>>I came across the following post on the openssh-unix-dev mailing list 
>>that is very useful:
>>http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 
>><http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2>
>>
>>And also, http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2 
>><http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2> that 
>>provides the required patches to dowload for OpenSSH to support X.509 
>>certificates.
>>
>>I am using FC6 and have followed the steps mentioned in the above post, 
>>but I am unable to successfully complete the task :(
>>Is there any step-by-step procedure that I could refer to to achieve the 
>>same?
>>
>>Thanks and Regards,
>>Sankalp
>>  
>>    
>>
>Please, could you clarify "successfully complete the task".
>
>RedHat OpenSSH sources are heavy patched and chance patch to be applied 
>without problem is zero.
>
>References:
>- README.x509v3 for specified version 
>http://roumenpetrov.info/openssh/download.html
>- http://roumenpetrov.info/domino_CA/
>
>Roumen
>
>  
>

More information about the openssh-unix-dev mailing list