Openssh + x509 patch problem

Roumen Petrov openssh at roumenpetrov.info
Thu Feb 14 07:01:11 EST 2008


Jorge Abrines wrote:
> Hi all,
>
> I'm trying to install ssh server based on x509 certificates with no 
> result. What I've done is the following:
> - Build openssh4.7p1 after patching with openssh-4.7p1+x509-6.1.diff.gz 
> without error using ./configure --prefix=/opt/ssh && make && make 
> install in both server and client machines
>
> -  Create minimal openssl ca structure under /opt/ssh/etc/ca
>     ( self signed CA certificate, server certificate signed by CA, 
> client certificate signed by CA ).
>     I now have certificates cacert.pem, server.pem and client.pem and 
> keys for all three
>
> - Build server host id using (under /opt/ssh/etc):
>     cat server-key.pem > ssh_host_key_cert
>     cat server.pem >> ssh_host_key_cert
>     chmod 0600 ssh_host_key_cert
>     ../bin/ssh-keygen -y > ssh_host_key_cert.pub
>     // entering ssh_host_key_cert as key
>   
i.e. HostKey /opt/ssh/etc/ssh_host_key_cert is in sshd_config ?

> - Changing /opt/ssh/etc/sshd_config:
>       CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem
>     Port 4422
>     X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
>     X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
>     AllowedCertPurpose sslclient
>     PasswordAuthentication no
>   
Fine but I assume that rest is left to default.

> - Customizing server user configuration
>
>       cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys
>   
Why ?
Append client public part in authorized keys.
> - Now __On client machine__ (after copying, client.pem, client-key.pem 
> and cacert.pem)
>
>     - Build identity
>         -  cat ~/.ssh/client-key.pem > /.ssh/id_rsa
>         -  cat ~/.ssh/client.pem >> ~/.ssh/id_rsa
>         - chmod 0600 ~/.ssh/id_rsa
>         - /opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub
>         // entering ~/.ssh/id_rsa as key
>   

Copy id_rsa.pub to server and append to authorized keys file.

>     - Introducing following changes into /opt/ssh/etc/ssh_config
>         Port 4422
>         IdentityFile ~/.ssh/id_rsa
>         UserCACertificateFile ~/.ssh/cacert.pem
>         UserCACertificatePath ~/.ssh/crt
>         UserCARevocationFile ~/.ssh/ca-bundle.crl
>         UserCARevocationPath ~/.ssh/crl
>
>
> Finally lauching sshd on server with
> command:
>
>     /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d
>
> And client with:
>     /opt/ssh/bin/ssh-agent
>     /opt/ssh/bin/ssh-add
>     /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d \ 
> myuser at myserver
>
> Which output is:
>
> The authenticity of host '[myserver]:4422 ([192.168.0.201]:4422)' can't 
> be established.
> RSA+cert key fingerprint is 
> 4c:3a:1b:2d:40:23:1d:99:aa:d2:eb:b3:28:8c:d2:d4.
> Distinguished name is 'C=ES,ST=Madrid,O=blub,CN=Server'.
> Are you sure you want to continue connecting (yes/no)? yes
>
> But I get 'Permission denied (publickey,keyboard-interactive)' error. 
> I've sshd and ssh outputs but are quite long, I'll append them if
> above configuration seems ok.
>
> Many thanks in advance.
>
> Best regards,
>
> Jorge
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>   


Roumen

-- 
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/



More information about the openssh-unix-dev mailing list