x509 patch for SSH

Roumen Petrov openssh at roumenpetrov.info
Thu Jan 17 06:39:22 EST 2008

Hi Konstantin,

Please, find answers in quoted text.

Konstantin V. Gavrilenko wrote:
> Hash: SHA1
> Hi guys,
> been trying the x509 patch for ssh from Roumen, it works great.
> However, I can't figure out couple of things, and been trying to solve
> it for couple of days already.
> I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g
> with 6.1 version of your patch.
> The serverside hostkey is configured correctly, to present x509v3-sign-rsa
> dynowork / # ssh-keyscan pingo
> # pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19
> pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
> Ltd,C=GB
> Hoever, in the  situation, when the clients that haven't been patched to
> support x509, just could not connect giving the following error:
> no hostkey alg
In sshd_config(HostKey=...) you could list keys from appropriate type.
Client with x509 support will dive same result if HostKeyAlgorithms is 
set to ssh-rsa,ssh-dss in ~/.ssh/config for that host.

> Is it possible to circumvent this apart from also specifying the dss
> key, that non-patched clients would understand.
> The second problem is with clients that are patched, but for one reason
> or another there is no x509 store setup on the client.
So in this case client could not create trusted certificate chain and 
verification will reject give certificate.
That is part of PKI and you could test what is result with openssl 
verify ... without trusted certificates.

> They just give out the following error:
> ssh_x509store_cb: subject='CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
> Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate
> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> certificate'
> key_verify failed for server_host_key
> Is it possible to have a situation when if there is no x509 store set up
> on the client, it would simply revert to the password based authentication?
In reported case client could not trust host key as result will reject 
to continue.
But you could switch to rsa/dss host-keys (HostKeyAlgorithms 
ssh-rsa,ssh-dss) for that host and then to set order of authentication 
methods in PreferredAuthentications.

> I have tried setting
> PubkeyAlgorithms ssh-dss
The client will use only ssh-dss keys to authenticate to server.
HostKeyAlgorithms is for accepted host-keys.

> PreferredAuthentications keyboard-interactive
May be you should append "password" if you like to use password 
authentication if previous listed are rejected by server.

> but with no effect, same error appears.
Sure if server don't offer ssh-dss host-key.

> I would appreciate your help.
> - --
> Respectfully,
> Konstantin V. Gavrilenko
> Arhont Ltd - Information Security
> web:    http://www.arhont.com
>         http://www.wi-foo.com
> e-mail: k.gavrilenko at arhont.com
> tel: +44 (0) 870 44 31337
> fax: +44 (0) 117 969 0141
> PGP: Key ID - 0xE81824F4
> PGP: Server - keyserver.pgp.com
> Version: GnuPG v2.0.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFHjiVNxwtGg+gYJPQRAniCAJ0aqw5Ia8Ti6+dGVWGL0KmbTPiAIwCfQeOa
> G9Ql9I6oPOO9Hyx2N/PAVQc=
> =LYji
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Get X.509 certificates support in OpenSSH:

More information about the openssh-unix-dev mailing list