x509 cert chain

Paul Bradley paul.bradley.listmail at gmail.com
Thu Nov 4 02:55:24 EST 2010


Thankyou all for the information.

I will hold off for a week or two before making a decision, as
although I have only a few client machines and servers here (it's just
a home network) I am actually thinking of using Samba4 to put in a
pseudo active directory domain to manage my windows client machines
using group policy. If I do that, I will need LDAP and a Kerberos box
so if getting openssh to work with x509 certs means patching it (on
all the servers, each time I update) it may be easier to just
centralise it and authenticate to the Kerberos with x509 then do
kerberos authentication to the ssh servers.

Thanks anyway, and I won't rule out just doing it on each box
individually using Roumen's patches, but I suspect I might go with the
kerberos solution.

All the best and thanks again for the help.

Paul


On 10/31/10, Roumen Petrov <openssh at roumenpetrov.info> wrote:
> Plau,
>
> Hostbased authentication require SSL Server in "Netscape Cert Type" for
> the server certificate.
> Otherwise user could update AllowedCertPurpose as default is sslserver.
>
> Please check for EnableSSHKeysign in user configuration.
>
> Roumen
>
>
> Erwin Himawan wrote:
>> I was able to patch openssh using Roumen Petrovs'
>> I was able to perform x509 mutual authentication between the client
>> and daemon.
>> I was also able to perform CRL verfication/
>> However, My CA has oly one leve; I.e. RootCA issues certificate to
>> openssh daemon and openSSH client.
>> Due to time constraint, I have not tried multi-level CA like yours.  I
>> am still interested to try multi-level CA.
>>
>> So, If you want, send me your daemon config file, client config file,
>> and client's known host and daeom's knowhost files.
>> I can take a look into your config file and help you troubleshoot.
>>
>> Erwin
>>
>> --------------------------------------------------
>> From: "Paul Bradley" <paul.bradley.listmail at gmail.com>
>> Sent: Saturday, October 30, 2010 4:15 AM
>> To: <openssh-unix-dev at mindrot.org>
>> Subject: Re: x509 cert chain
>>
>>> Sorry for the followup - I forgot something:
>>>
>>> I'd also like to know how I get an x509 certificate into the server
>>> for it
>>> to use as it's host key, so both the host and users can verify each
>>> other
>>> using the same CA.
>>>
>>> thanks
>>>
>>> Paul
>>>
>>>
>>> On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley <
>>> paul.bradley.listmail at gmail.com> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> I am trying to set up OpenSSH with x509 certs and I'm getting
>>>> nowhere. I've
>>>> been at this on and off for days and doing all the googling I can
>>>> but I'm
>>>> still not making progress so any help would be very much appreciated. I
>>>> believe the latest OpenSSH builds support x509 certificates - I'm
>>>> running
>>>> 5.5 on Ubuntu 10.04.
>>>>
>>>> What I want to do is have users on Windows boxes using PuttySC or
>>>> similar
>>>> (suggestions welcome) log in without needing to enter a
>>>> username/password,
>>>> using an x509 certificate stored on a smartcard / token.
>>>>
>>>> The user identities already exist (x509 certs + private keys) and
>>>> there is
>>>> a multi-level CA structure. It's a simple one though:    ROOT CA ->
>>>> POLICY
>>>> CA -> ISSUING CA -> USER CERTIFICATE
>>>>
>>>> How do I configure OpenSSH to allow logins from users who have
>>>> certificates
>>>> signed by the trusted issuing CA at the end of the chain above.
>>>> Presumably
>>>> the server needs the whole CA chain and I've tried cat'ing the .pem
>>>> files
>>>> for the CA certificates together and copying the result to a file
>>>> that I've
>>>> pointed to with CACertificateFile in sshd_config.
>>>>
>>>> In the authorized_keys I've got:
>>>> x509v3-sign-rsa subject=
>>>> /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN ie.
>>>> the DN of the ROOT CA certificate - should this instead be the
>>>> issuing CA?
>>>>
>>>> Generally any pointers would be very helpful, I've found Roumen Petrovs
>>>> patches and read some of his stuff but I find it a bit difficult to
>>>> follow
>>>> and in any case I'm not sure how relevant his implementation is to the
>>>> mainline openssh 5.4/5.5 x509.
>>>>
>>>> Thanks
>>>>
>>>> Paul
>>>>
>>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> --
> Get X.509 certificates support in OpenSSH:
> http://roumenpetrov.info/openssh/
>
>


More information about the openssh-unix-dev mailing list