Patch for OpenSSH for Windows to allow authentication through certificates

Roumen Petrov openssh at roumenpetrov.info
Wed Mar 11 17:47:07 EST 2009 

Adriana Rodean wrote:
> Hi Roumen,
> 
> I fixed the certificate validation, so it return 1(trusted) now, but I
> still can’t go on. After everything seem to be OK, certificate
> validated,
> Client tries to authenticate with keyboard.interactive. This of course
> doesn’t work and connection is closed.
> 
> Here is output  from server (started with option -d):
> debug1: ssh_set_validator: ignore responder url
> debug1: sshd version OpenSSH_5.1p1
> debug1: read PEM private key begin
> debug1: read X509 certificate done: type RSA+cert
> debug1: read PEM private key done: type RSA+cert
> debug1: private host key: #0 type 3 RSA+cert
[SNIP]
> method keyboard-interactive
[SNIP]

> and ouput from client (started with option -v):
> OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
> debug1: Reading configuration data c:\\openssh\\bin\\ssh_config
> debug1: ssh_set_validator: ignore responder url
> debug1: Connecting to 10.3.3.12 [10.3.3.12] port 22.
> debug1: Connection established.
> debug1: identity file C:/OpenSSH/Certs/id_rsa type 3
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH*
[SNIP]
> debug1: Host '10.3.3.12' is known and matches the RSA+cert host key.
> debug1: Found key in /home/Administrator.JOGE/.ssh/known_hosts:1
[SNIP]
> debug1: Authentications that can continue: keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue: keyboard-interactive
[SNIP]
 > What did I miss?

Check the client option PreferredAuthentications. In you case may be is 
only keyboard-interactive. The default is "hostbased, publickey, 
keyboard-interactive, password". For certificates it has to contain 
publickey or hostbased. Lets start with publickey.
Also check client options PubkeyAuthentication and PubkeyAlgorithms.

On the server check server options PubkeyAuthentication and 
PubkeyAlgorithms.

Initially you may left PubkeyAlgorithms as default.

[SNIP]

Roumen

More information about the openssh-unix-dev mailing list