x509 patch for SSH

Konstantin V. Gavrilenko kos at arhont.com
Thu Jan 17 02:39:57 EST 2008

Hash: SHA1

Hi guys,

been trying the x509 patch for ssh from Roumen, it works great.
However, I can't figure out couple of things, and been trying to solve
it for couple of days already.

I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g
with 6.1 version of your patch.

The serverside hostkey is configured correctly, to present x509v3-sign-rsa

dynowork / # ssh-keyscan pingo
# pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19
pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont

Hoever, in the  situation, when the clients that haven't been patched to
support x509, just could not connect giving the following error:

no hostkey alg

Is it possible to circumvent this apart from also specifying the dss
key, that non-patched clients would understand.

The second problem is with clients that are patched, but for one reason
or another there is no x509 store setup on the client.

They just give out the following error:

ssh_x509store_cb: subject='CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate
ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
key_verify failed for server_host_key

Is it possible to have a situation when if there is no x509 store set up
on the client, it would simply revert to the password based authentication?

I have tried setting
PubkeyAlgorithms ssh-dss
PreferredAuthentications keyboard-interactive
but with no effect, same error appears.

I would appreciate your help.

- --
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
e-mail: k.gavrilenko at arhont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the openssh-unix-dev mailing list