Signed SSH key issue with OpenSSH6.4p1
Naren K
narendra.linux9 at gmail.com
Wed Apr 11 03:35:59 AEST 2018
Hi All,
Please pardon me if it is the wrong list to ask how-to etc.
I am having an issue with the Signed SSH keys. I am being asked for the
passphrase for my signed public key, even though I don't have any.
I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013.
1) I have ca server with ca user keys (ca-user-key.pub)
2) I created user ssh rsa keys (user-id-org and user-id-org.pub).
3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated
"signed-user-id-org.pub".
4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com)
and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in
/etc/ssh/sshd_config.
5) I am trying to get into "dest1.domain.com" using the " user-id-org " as
well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed-
user-id-org.pub user1@ dest1.domain.com ]
However, I am being asked for the passphrase for signed-user-id-org.pub
which I don't have. Below is the output the I pasted from the terminal.
[root at lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub user1@
dest1.domain.com
Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub':
Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub':
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
But, If I change the ssh key names to id_rsa, id_rsa.pub and
id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I
can do SSH with out any issues and without any prompting. I am confused
here and I don't understand why I have to use only the id-rsa as opposed to
any name that I am pointing using the file path.
Failed scenarios:
1. I tried giving the options using -o i.e (ssh -o 'IdentityFile
/root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub'
root at test.domain.com).
· command-line: line 0: Bad configuration option: certificatefile
2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config
· same problem, it says Bad configuration option: certificatefile
3. Tried renaming the files to test_id_rsa and test_id_rsa.pub and
test_id_rsa-cert.pub.
· Asking for the passphrase of the signed cert.
Successful Scenarios:
1. When I rename all the keys to the default named id_rsa, id_rsa.pub
and id_rsa-cert.pub.
· No issues, I could ssh into the servers using either private key
or signed key. [assuming the file names are being automatically taken from
a switch case in the code base.]
What Should I do?
- Can anyone suggest me how to get around this issue. I want to use my
own naming convention and my custom location to the keys?
Any help is appreciated and Thanks in advance.
NK.
More information about the openssh-unix-dev
mailing list