Public Key Authentication
Goran Sustek
gsustek at gmail.com
Wed Nov 28 04:52:19 EST 2012
Hi, this is bad because changing password is legitimate action like su
and i just know this password, We audit this action. In both cases i
can't impersonate user1 knowing his old password. And just one copy
of authorized_keys file impersonate user1, without knowing
anything,changing anything(then copy back user1 original authorized
keys file).
I lookin something like this.
"The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) "
http://blog.habets.pp.se/2011/07/OpenSSH-certificates
ssh-keygen -s user_ca -I user_thomas -n thomas,thomas2 -V +52w
/path/to/id_rsa.pub
Valid: from 2011-07-07T15:37:00 to 2012-07-05T15:38:11
Principals:
thomas
thomas2
Critical Options:
permit-agent-forwarding
permit-port-forwarding
Now, my prinicpals(or cn, or some other certificate atribute) in my
certificate must corespond to my userid on OS...Just i have my
certificate,my publickeys,and just i know my pin for my PKCS11 storage
card.
Regards,
Goran.
On Tue, Nov 27, 2012 at 6:35 PM, Mauricio Tavares <raubvogel at gmail.com> wrote:
> On Tue, Nov 27, 2012 at 12:04 PM, Goran Sustek <gsustek at gmail.com> wrote:
>> Hi, i setup X509 certificate patch with openssh 6.1p1.
>>
>> ssh user1 at HOST -i user2.pem
>>
>> So , both users are root, admins of this OS.
>>
>> If i do not know user1 password i can not login with ssh to server. i
>> can su to server but this will be in logs.
>>
>> public key authentification like this bellow have some identificatio
>> issue. If i copy my authorized key(user2) to user1 authorized key and
>> try login with ssh like this ssh user1 at HOST -i user2.pem i will login
>> like him..and this is BAD.
>>
> How is that bad? What you did was set the same authentication
> for both accounts, hence the file is called "authorized_keys". The
> same outcome would happen if you set both accounts with the same
> password and authenticate using it.
>
>> I wan't to configure my ssh server just for certificate
>> authentification, and that way that i can't impersionate some other
>> user.
>>
> How about if you had different public/private key pairs for the
> different accounts?
>
>> Here is log.
>>
>>
>>
>>
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[10289316]: debug1:
>> fd 4 clearing O_NONBLOCK
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> rexec start in 4 out 4 newsock 4 pipe 6 sock 7
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[10289316]: debug1:
>> Forked child 11534544.
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[10289316]: debug3:
>> send_rexec_state: entering fd = 7 config len 387
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[10289316]: debug3:
>> ssh_msg_send: type 0
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[10289316]: debug3:
>> send_rexec_state: done
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> inetd sockets after dupping: 5, 5
>> Nov 27 17:46:45 intrat10 auth|security:info sshd[11534544]: Connection
>> from XX.XX.XX.XX port 58271
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> Client protocol version 2.0; client software version OpenSSH_6.1 PKIX
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> match: OpenSSH_6.1 PKIX pat OpenSSH*
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> Enabling compatibility mode for protocol 2.0
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> Local version string SSH-2.0-OpenSSH_6.1 PKIX
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> fd 5 setting O_NONBLOCK
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_sandbox_init: preparing rlimit sandbox
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> Network child is on pid 13041860
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> preauth child monitor started
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> privsep user:group 202:201 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> permanently_set_uid: 202/201 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> list_hostkey_types: ssh-rsa,ssh-dss [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_KEXINIT sent [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_KEXINIT received [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: ssh-rsa,ssh-dss [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: none,zlib at openssh.com [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: none,zlib at openssh.com [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: first_kex_follows 0 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit: reserved 0 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> x509v3-sign-rsa,ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,x509v3-sign-dss,ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-dss
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> mac_setup: found hmac-md5 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> kex: server->client aes128-ctr hmac-md5 none [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 0 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_choose_dh: waiting for MONITOR_ANS_MODULI [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 1 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 0
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_moduli: got parameters: 1024 1024 8192
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 1
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> monitor_read: 0 used once, disabling now
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_choose_dh: remaining 0 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> dh_gen_key: priv key bits set: 125/256 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> bits set: 511/1024 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> bits set: 498/1024 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_sign entering [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 4 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 5 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 4
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_sign
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_sign: signature 20045ef8(271)
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 5
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> monitor_read: 4 used once, disabling now
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> kex_derive_keys [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> set_newkeys: mode 1 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_NEWKEYS sent [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> expecting SSH2_MSG_NEWKEYS [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug2:
>> set_newkeys: mode 0 [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> SSH2_MSG_NEWKEYS received [preauth]
>> Nov 27 17:46:45 intrat10 auth|security:debug sshd[11534544]: debug1:
>> KEX done [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug1:
>> userauth-request for user user1 service ssh-connection method none
>> [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug1:
>> attempt 0 failures 0 [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_getpwnamallow entering [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 6 [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 7 [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 6
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_pwnamallow
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> Trying to reverse map address 10.144.33.20.
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug2:
>> parse_server_config: config reprocess config len 387
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> AIX/setauthdb set registry 'LDAP'
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> aix_restoreauthdb: restoring old registry ''
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> AIX/loginrestrictions returned 0 msg (none)
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 7
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug2:
>> monitor_read: 6 used once, disabling now
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug2:
>> input_userauth_request: setting up authctxt for user1 [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_inform_authserv entering [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 3 [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug2:
>> input_userauth_request: try method none [preauth]
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 3
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_authserv: service=ssh-connection, style=
>> Nov 27 17:46:46 intrat10 auth|security:debug sshd[11534544]: debug2:
>> monitor_read: 3 used once, disabling now
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> userauth-request for user user1 service ssh-connection method
>> publickey [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> attempt 1 failures 0 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug2:
>> input_userauth_request: try method publickey [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> key_from_blob(..., 1268) [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_blob: We have 1268 bytes available in BIO [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509_to_key: X509_get_pubkey done! [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_allowed entering [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 20 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 21 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 20
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_keyallowed entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> key_from_blob(..., 1268)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_blob: We have 1268 bytes available in BIO
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509_to_key: X509_get_pubkey done!
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_keyallowed: key_from_blob: 2008b2d8
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> temporarily_use_uid: 417/230 (e=0/0)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> trying public key file /home/user1/.ssh/authorized_keys
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> fd 4 clearing O_NONBLOCK
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_subject(9, [subject= C = XX, O = XX, OU = XX, CN =
>> user2\n]) called
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_subject: subject=[C = XX, O = XX, OU = XX, CN = user2\n]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_X509_NAME_add_entry_by_NID: type=ASCII, k=2
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_X509_NAME_add_entry_by_NID: type=ASCII, k=4
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_X509_NAME_add_entry_by_NID: type=ASCII, k=12
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_X509_NAME_add_entry_by_NID: type=ASCII, k=7
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_str2X509NAME: return 1
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_subject: return 2008b678
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> key_match:found matching certificate
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> matching key found: file /home/user1/.ssh/authorized_keys, line 1
>> Nov 27 17:46:55 intrat10 auth|security:info sshd[11534544]: Found
>> matching RSA+cert key: 47:d7:9f:7c:e4:a6:df:67:be:bb:82:8f:91:99:12:f2
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509cert_check: for 'C=XX,O=XX,OU=XX,CN=user2'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=user2
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_ocsp_validate: for 'C=XX,O=XX,OU=XX,CN=user2'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_ocsp_validate: none
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_verify entering [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 22 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 23 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 22
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> key_from_blob(..., 1268)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509key_from_blob: We have 1268 bytes available in BIO
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> x509_to_key: X509_get_pubkey done!
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509_verify: signature format = x509v3-sign-rsa
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509_verify: md=rsa-sha1, loc=0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509cert_check: for 'C=XX,O=XX,OU=XX,CN=user2'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Issuer: C=XX,O=XX,OU=XX,CN=XX
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509revoked_cb: Subject: C=XX,O=XX,OU=XX,CN=user2
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_ocsp_validate: for 'C=XX,O=XX,OU=XX,CN=user2'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_ocsp_validate: none
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509cert_check: return 1(trusted)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> ssh_x509_verify: return 1
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_keyverify: key 2008ca68 signature verified
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 23
>> Nov 27 17:46:55 intrat10 auth|security:info sshd[11534544]: Accepted
>> publickey for user1 from XX.XX.XX.XX. port 58271 ssh2
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> AIX/setauthdb set registry 'LDAP'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> AIX/loginsuccess: msg Last unsuccessful login: \310et 22 Stu 2012
>> 13:02:41 on ssh from user1.host.com\nLast login: Uto 27 Stu 2012
>> 17:29:40 on /dev/pts/5 from intrat10.zbo\n
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> aix_restoreauthdb: restoring old registry ''
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug2:
>> userauth_pubkey: authenticated 1 pkalg x509v3-sign-rsa [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_send_keystate: Sending new keys: 20046118 20045e78 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_newkeys_to_blob: converting 20046118 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_newkeys_to_blob: converting 20045e78 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_send_keystate: New keys have been sent [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_send_keystate: Sending compression state [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 24 [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_send_keystate: Finished sending state [preauth]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> monitor_read_log: child log fd closed
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> monitor_child_preauth: user1 has been authenticated by privileged
>> process
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_get_keystate: Waiting for new keys
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive_expect entering: type 24
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_newkeys_from_blob: 2006cfa8(118)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug2:
>> mac_setup: found hmac-md5
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_get_keystate: Waiting for second key
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_newkeys_from_blob: 2006cfa8(118)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug2:
>> mac_setup: found hmac-md5
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_get_keystate: Getting compression state
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_get_keystate: Getting Network I/O buffers
>> Nov 27 17:46:55 intrat10 auth|security:info sshd[11534544]: User child
>> is on pid 13041862
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> AIX/UsrInfo: set len 29
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> permanently_set_uid: 417/230
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> set_newkeys: mode 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> set_newkeys: mode 1
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> Entering interactive session for SSH2.
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> fd 8 setting O_NONBLOCK
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> fd 9 setting O_NONBLOCK
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_init_dispatch_20
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> input_session_request
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> channel 0: new [server-session]
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> session_new: allocate (allocated 0 max 10)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> session_unused: session id 0 unused
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_new: session 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_open: channel 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_open: session 0: link with channel 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_input_channel_open: confirm session
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_input_global_request: rtype no-more-sessions at openssh.com
>> want_reply 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_input_channel_req: channel 0 request pty-req reply 1
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_by_channel: session 0 channel 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_input_channel_req: session 0 req pty-req
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> Allocating pty.
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> mm_request_send entering: type 25
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> mm_pty_allocate: waiting for MONITOR_ANS_PTY
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> mm_request_receive_expect entering: type 26
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_receive entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> monitor_read: checking request 25
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_pty entering
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug2:
>> session_new: allocate (allocated 0 max 10)
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> session_unused: session id 0 unused
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> session_new: session 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> AIX/setauthdb set registry 'LDAP'
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug1:
>> AIX/loginsuccess: msg Last unsuccessful login: \310et 22 Stu 2012
>> 13:02:41 on ssh from user1.host.com\nLast login: Uto 27 Stu 2012
>> 17:46:55 on ssh from intrat10.zbo\n
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> aix_restoreauthdb: restoring old registry ''
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_request_send entering: type 26
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[11534544]: debug3:
>> mm_answer_pty: tty /dev/pts/5 ptyfd 6
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_pty_req: session 0 alloc /dev/pts/5
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> server_input_channel_req: channel 0 request shell reply 1
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_by_channel: session 0 channel 0
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug1:
>> session_input_channel_req: session 0 req shell
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> fd 5 setting TCP_NODELAY
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> packet_set_tos: set IP_TOS 0x10
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> channel 0: rfd 12 isatty
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug2:
>> fd 12 setting O_NONBLOCK
>> Nov 27 17:46:55 intrat10 auth|security:debug sshd[13041862]: debug3:
>> fd 10 is O_NONBLOCK
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list