Signed SSH key issue with OpenSSH6.4p1

Naren K narendra.linux9 at gmail.com
Wed Apr 11 04:22:25 AEST 2018 

Yeah. But how does ssh server knows that it is a signed key. I understand
with regular keys. But the problem is with the signed keys.

On Tue, Apr 10, 2018 at 1:19 PM Scott Neugroschl <scott_n at xypro.com> wrote:

> You do not use the Public key file as an identity file.  Just the private
> key.  Do not use the .pub file with -i.
>
>
> -----Original Message-----
> From: openssh-unix-dev <openssh-unix-dev-bounces+scott_n=
> xypro.com at mindrot.org> On Behalf Of Naren K
> Sent: Tuesday, April 10, 2018 10:36 AM
> To: openssh-unix-dev at mindrot.org
> Subject: Signed SSH key issue with OpenSSH6.4p1
>
>  Hi All,
>
> Please pardon me if it is the wrong list to ask how-to etc.
>
> I am having an issue with the Signed SSH keys. I am being asked for the
> passphrase for my signed public key, even though I don't have any.
>
> I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013.
>
> 1) I have ca server with ca user keys (ca-user-key.pub)
> 2) I created user ssh rsa keys (user-id-org and user-id-org.pub).
> 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated
> "signed-user-id-org.pub".
> 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com)
> and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in
> /etc/ssh/sshd_config.
>
> 5) I am trying to get into "dest1.domain.com" using the " user-id-org "
> as well as  "signed-user-id-org.pub". [ ssh -i user-id-org -i signed-
> user-id-org.pub user1@ dest1.domain.com ]
>
> However, I am being asked for the passphrase for signed-user-id-org.pub
> which I don't have. Below is the output the I pasted from the terminal.
>
> [root at lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub
> user1@ dest1.domain.com Enter passphrase for key '/root/.ssh/
> signed-user-id-org .pub':
> Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub':
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
>
> But, If I change the ssh key names to id_rsa, id_rsa.pub and
> id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I
> can do SSH with out any issues and without any prompting. I am confused
> here and I don't understand why I have to use only the id-rsa as opposed to
> any name that I am pointing using the file path.
>
> Failed scenarios:
>
>    1. I tried giving the options using -o i.e (ssh -o 'IdentityFile
>    /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub'
>    root at test.domain.com).
>
> ·         command-line: line 0: Bad configuration option: certificatefile
>
>
>
> 2.    Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config
>
> ·         same problem, it says Bad configuration option: certificatefile
>
>
>
> 3.    Tried renaming the files to test_id_rsa and test_id_rsa.pub and
> test_id_rsa-cert.pub.
>
> ·         Asking for the passphrase of the signed cert.
>
> Successful Scenarios:
>
> 1.    When I rename all the keys to the default named id_rsa, id_rsa.pub
> and id_rsa-cert.pub.
>
> ·         No issues, I could ssh into the servers using either private key
> or signed key. [assuming the file names are being automatically taken from
> a switch case in the code base.]
>
> What Should I do?
>
>    - Can anyone suggest me how to get around this issue. I want to use my
>    own naming convention and my custom location to the keys?
>
>
>  Any help is appreciated and  Thanks in advance.
>
> NK.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list