Patch for OpenSSH for Windows to allow authentication through certificates
Roumen Petrov
openssh at roumenpetrov.info
Sun Mar 8 07:49:31 EST 2009
Hi Adriana ,
Adriana Rodean wrote:
> Hi all,
>
> We patched it on cygwin and got executables to run, but when I try to
> connect to server I got the following from client:
>
>
>
> Debug3: ssh_x509cert_check: for ‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’
>
> ssh_x509store_cb: subject=‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’, error
>
> 20 at 0 depth lookup:unable to get local issuer certificate
>
> Ssh_verify_cert: verify error, code=20, msg=’ unable to get local
> issuer certificate’
>
> I run executable under Windows with cygwin dlls in same folder.
>
> Thank you,
> Adriana.
To verify server certificate you need "trust certificate chain".
See ssh_config manual page for "x509_store" optionslike
CACertificateFile and CACertificatePath and also UserCACertificateFile
and UserCACertificatePath.
You could check openssh x509 store with openssl command:
$ openssl --verify [-CApath directory] [-CAfile file] certificate
In you case openssl arguments -CApath -CAfile correspond to openssh
config options {|User}CACertificatePath {|User}CACertificateFile and
certificate is you server certificate.
Roumen
More information about the openssh-unix-dev
mailing list