Help with CA Certificates for user authentication?

Iain Morgan imorgan at nas.nasa.gov
Fri Nov 4 04:35:58 EST 2011 

Hello,

What happens if you set the principal in the certificate to simply be
the username of the test account?

I suspect that you have a permissions issue with your
authorized_principals file. Remember that it is read using the user's
permissions and thus must be readable by the user.

-- 
Iain Morgan

On Thu, Nov 03, 2011 at 01:50:46 -0500, wfdawson wrote:
> As background, I read:
> 
> http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
> http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
> http://bryanhinton.com/blog/openssh-security
> http://www.linuxhowtos.org/manpages/5/sshd_config.htm
> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=120&prodSeriesId=4164814&prodTypeId=18964&objectID=c02838205
> http://www.gossamer-threads.com/lists/openssh/users/50165
> 
> 
> I'm to use SSH CA certificate for user authentication, but not getting quite "there."
> 
> I created a signing cert and used it to sign the test user's public key:
> 
> ssh-keygen -s /etc/ssh/ca_rsa -I test -n test at 172.31.43.3 -z 3 /home/test/.ssh/id_rsa.pub
> 
> On my test server, the sshd_config details:
> 
> Port 2022
> HostKey /etc/sshtest/ssh_host_key
> HostKey /etc/sshtest/ssh_host_rsa_key
> HostKey /etc/sshtest/ssh_host_dsa_key
> HostKey /etc/sshtest/ssh_host_ecdsa_key
> MaxAuthTries 3
> AuthorizedKeysFile????? /etc/sshtest/authorized_keys
> PasswordAuthentication no
> X11Forwarding yes
> X11DisplayOffset 10
> X11UseLocalhost yes
> UseDNS no
> Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server
> TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys
> AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals
> 
> The /etc/sshtest/authorized_principals file contains one line:
> 
> test at 172.31.43.3
> 
> I attempt to connect to the target server from the test client:
> 
> $ ssh -vvv -Y -p 2022 -l test 172.31.44.115
> 
> 
> There is verbose output, which mostly seems right until (on the client):
> 
> 
> debug1: ssh_rsa_verify: signature correct
> debug2: input_userauth_pk_ok: fp c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> debug3: sign_and_send_pubkey: RSA-CERT c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> debug1: read PEM private key begin
> debug1: key_parse_private_pem: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> Enter passphrase for key '/home/test/.ssh/id_rsa':
> 
> ...and, correspondingly on the server:
> 
> debug1: KEX done
> debug1: userauth-request for user test service ssh-connection method none
> debug1: attempt 0 failures 0
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 1 failures 0
> debug1: test whether pkalg/pkblob are acceptable
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Failed publickey for test from 172.31.43.3 port 2991 ssh2
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 2 failures 1
> debug1: ssh_rsa_verify: signature correct
> debug1: test whether pkalg/pkblob are acceptable
> debug1: ssh_rsa_verify: signature correct
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying authorized principals file /etc/sshtest/authorized_principals
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Certificate does not contain an authorized principal
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Failed publickey for test from 172.31.43.3 port 2991 ssh2
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 3 failures 2
> debug1: ssh_rsa_verify: signature correct
> debug1: test whether pkalg/pkblob are acceptable
> debug1: ssh_rsa_verify: signature correct
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying authorized principals file /etc/sshtest/authorized_principals
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
> Postponed publickey for test from 172.31.43.3 port 2991 ssh2
> 
> At this point, I have to enter the test user's passphrase.? This is not what I expect... I was rather hoping to avoid entering credentials...
> 
> 
> Any suggestions?
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list