x509 cert chain

Roumen Petrov openssh at roumenpetrov.info
Sun Oct 31 21:58:12 EST 2010


Hostbased authentication require SSL Server in "Netscape Cert Type" for 
the server certificate.
Otherwise user could update AllowedCertPurpose as default is sslserver.

Please check for EnableSSHKeysign in user configuration.


Erwin Himawan wrote:
> I was able to patch openssh using Roumen Petrovs'
> I was able to perform x509 mutual authentication between the client 
> and daemon.
> I was also able to perform CRL verfication/
> However, My CA has oly one leve; I.e. RootCA issues certificate to 
> openssh daemon and openSSH client.
> Due to time constraint, I have not tried multi-level CA like yours.  I 
> am still interested to try multi-level CA.
> So, If you want, send me your daemon config file, client config file, 
> and client's known host and daeom's knowhost files.
> I can take a look into your config file and help you troubleshoot.
> Erwin
> --------------------------------------------------
> From: "Paul Bradley" <paul.bradley.listmail at gmail.com>
> Sent: Saturday, October 30, 2010 4:15 AM
> To: <openssh-unix-dev at mindrot.org>
> Subject: Re: x509 cert chain
>> Sorry for the followup - I forgot something:
>> I'd also like to know how I get an x509 certificate into the server 
>> for it
>> to use as it's host key, so both the host and users can verify each 
>> other
>> using the same CA.
>> thanks
>> Paul
>> On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley <
>> paul.bradley.listmail at gmail.com> wrote:
>>> Hi,
>>> I am trying to set up OpenSSH with x509 certs and I'm getting 
>>> nowhere. I've
>>> been at this on and off for days and doing all the googling I can 
>>> but I'm
>>> still not making progress so any help would be very much appreciated. I
>>> believe the latest OpenSSH builds support x509 certificates - I'm 
>>> running
>>> 5.5 on Ubuntu 10.04.
>>> What I want to do is have users on Windows boxes using PuttySC or 
>>> similar
>>> (suggestions welcome) log in without needing to enter a 
>>> username/password,
>>> using an x509 certificate stored on a smartcard / token.
>>> The user identities already exist (x509 certs + private keys) and 
>>> there is
>>> a multi-level CA structure. It's a simple one though:    ROOT CA -> 
>>> How do I configure OpenSSH to allow logins from users who have 
>>> certificates
>>> signed by the trusted issuing CA at the end of the chain above. 
>>> Presumably
>>> the server needs the whole CA chain and I've tried cat'ing the .pem 
>>> files
>>> for the CA certificates together and copying the result to a file 
>>> that I've
>>> pointed to with CACertificateFile in sshd_config.
>>> In the authorized_keys I've got:
>>> x509v3-sign-rsa subject= 
>>> the DN of the ROOT CA certificate - should this instead be the 
>>> issuing CA?
>>> Generally any pointers would be very helpful, I've found Roumen Petrovs
>>> patches and read some of his stuff but I find it a bit difficult to 
>>> follow
>>> and in any case I'm not sure how relevant his implementation is to the
>>> mainline openssh 5.4/5.5 x509.
>>> Thanks
>>> Paul
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Get X.509 certificates support in OpenSSH:

More information about the openssh-unix-dev mailing list