Help with CA Certificates for user authentication?

wfdawson wfdawson at bellsouth.net
Thu Nov 3 17:50:46 EST 2011 

As background, I read:

http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
http://bryanhinton.com/blog/openssh-security
http://www.linuxhowtos.org/manpages/5/sshd_config.htm
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=120&prodSeriesId=4164814&prodTypeId=18964&objectID=c02838205
http://www.gossamer-threads.com/lists/openssh/users/50165


I'm to use SSH CA certificate for user authentication, but not getting quite "there."

I created a signing cert and used it to sign the test user's public key:

ssh-keygen -s /etc/ssh/ca_rsa -I test -n test at 172.31.43.3 -z 3 /home/test/.ssh/id_rsa.pub

On my test server, the sshd_config details:

Port 2022
HostKey /etc/sshtest/ssh_host_key
HostKey /etc/sshtest/ssh_host_rsa_key
HostKey /etc/sshtest/ssh_host_dsa_key
HostKey /etc/sshtest/ssh_host_ecdsa_key
MaxAuthTries 3
AuthorizedKeysFile      /etc/sshtest/authorized_keys
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
UseDNS no
Subsystem       sftp    /home1/test/usr/local/libexec/sftp-server
TrustedUserCAKeys       /etc/sshtest/ssh_cakeys
AuthorizedPrincipalsFile        /etc/sshtest/authorized_principals

The /etc/sshtest/authorized_principals file contains one line:

test at 172.31.43.3

I attempt to connect to the target server from the test client:

$ ssh -vvv -Y -p 2022 -l test 172.31.44.115


There is verbose output, which mostly seems right until (on the client):


debug1: ssh_rsa_verify: signature correct
debug2: input_userauth_pk_ok: fp c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
debug3: sign_and_send_pubkey: RSA-CERT c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
debug1: read PEM private key begin
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/test/.ssh/id_rsa':

...and, correspondingly on the server:

debug1: KEX done
debug1: userauth-request for user test service ssh-connection method none
debug1: attempt 0 failures 0
debug1: userauth-request for user test service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying public key file /etc/sshtest/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying public key file /etc/sshtest/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for test from 172.31.43.3 port 2991 ssh2
debug1: userauth-request for user test service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: ssh_rsa_verify: signature correct
debug1: test whether pkalg/pkblob are acceptable
debug1: ssh_rsa_verify: signature correct
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying authorized principals file /etc/sshtest/authorized_principals
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Certificate does not contain an authorized principal
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying public key file /etc/sshtest/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying public key file /etc/sshtest/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for test from 172.31.43.3 port 2991 ssh2
debug1: userauth-request for user test service ssh-connection method publickey
debug1: attempt 3 failures 2
debug1: ssh_rsa_verify: signature correct
debug1: test whether pkalg/pkblob are acceptable
debug1: ssh_rsa_verify: signature correct
debug1: temporarily_use_uid: 63203/54000 (e=0/0)
debug1: trying authorized principals file /etc/sshtest/authorized_principals
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
Postponed publickey for test from 172.31.43.3 port 2991 ssh2

At this point, I have to enter the test user's passphrase.  This is not what I expect... I was rather hoping to avoid entering credentials...


Any suggestions?

More information about the openssh-unix-dev mailing list