OpenSSH and X.509 Certificate Support

sankalp_karpe sankalp_karpe at persistent.co.in
Thu Feb 28 23:33:11 EST 2008 

Hi Roumen,

Thanks for your comments.
The issues reported by me were not X.509 specific. Sorry about that.

So now I have SSH Server & Client, both patched with X.509 and I can 
successfully connect to the Server using X.509 Certificates.

I have several Linux clients some of which are patched with x.509 patch.

Is it possible for those linux machines (not patched with x.509) to 
log-in to the server with username/password since they do not support 
x.509 certificates (by doing some configuration changes on the Server)?
I have tried to log-in from a ssh client (without X.509 patch) to a ssh 
server (with X.509 patch), but the server refuses connection with the 
following error on the console:

"no hostkey alg"

My goal, is to make the OpenSSH Server (with X.509 patch) compatible 
with all SSH Clients irrespective of whether the client is patched with 
X.509 or not.
Would there be any workaround?

Your help would be highly appreciated.
Thanking you in anticipation.

Thanks and Best Regards,
Sankalp


Roumen Petrov wrote:

> sankalp_karpe wrote:
>
>> Hi Roumen,
>>
>> I could successfully add X.509 Certificate support to OpenSSH.
>> [SKIP]
>>   
>
>
>> *ISSUES faced:*
>>
>> The following commands did not execute and gave errors:
>>
>> (a) /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d 
>> myuser at myserver
>>
>> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
>> ssh: illegal option -- d
>> usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
>>            [-D [bind_address:]port] [-e escape_char] [-F configfile]
>>            [-i identity_file] [-L [bind_address:]port:host:hostport]
>>            [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p 
>> port]
>>            [-R [bind_address:]port:host:hostport] [-S ctl_path]
>>            [-w local_tun[:remote_tun]] [user@]hostname [command]
>>   
>
> Yes, expected. The option -d in not in vanilla.
> Vanilla OpenSSH use -v as verbose mode for client and -d as debug mode 
> for daemon (server).
>
> What is ssh option -d on RedHat distribution ?
>
>
>> (b) /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config myuser at myserver
>>
>> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
>> debug1: Reading configuration data /opt/ssh//etc/ssh_config
>> debug2: hash dir '/root/.ssh/crt' added to x509 store
>> debug2: file '/root/.ssh/ca-cert.pem' added to x509 store
>> debug2: hash dir '/root/.ssh/crl' added to x509 revocation store
>> debug2: hash dir '/opt/ssh//etc/ca/crt' added to x509 store
>> debug2: hash dir '/opt/ssh//etc/ca/crl' added to x509 revocation store
>> debug1: ssh_set_validator: ignore responder url
>> debug2: ssh_connect: needpriv 0
>> ssh: /opt/ssh/etc/ssh_config: Name or service not known
>>   
>
> Sorry but OpenSSH -f option is not so consistent with other program.
> Usually -f is for file in many applications but OpenSSH.
> OpenSSH is inconsistent and options is: -F config_file.
> Option -f is "requests ssh to go to background just before command 
> execution."
> So that client try to connect to host "/opt/ssh/etc/ssh_config" and to 
> execute command "myuser at myserver"
>
> Did on RedHat option -f is followed by config-file ?
>
>> [SNIP]
>
>
> Sorry but reported issues is not related to X.509 certificate support.
>
> Roumen
>
>

More information about the openssh-unix-dev mailing list