RE: Does OpenSSH support X.509 Certificate format?

From: STEWARD, Curtis (Jamestown) (Curtis.Steward@goodrich.com)
Date: 01/27/03

  • Next message: Roumen.Petrov@skalasoft.com: "Re: Does OpenSSH support X.509 Certificate format?" 
    From: "STEWARD, Curtis (Jamestown)" <Curtis.Steward@goodrich.com>
To: "'Roumen.Petrov@skalasoft.com'" <Roumen.Petrov@skalasoft.com>
Date: Mon, 27 Jan 2003 17:25:44 -0500

    Roumen,

    FYI, no luck yet on the current patch (e), can't get around
    "Permission denied" in the make check, perhaps cert mapping?

    Tests begin.
    =======================================================================
    * against CACertificateFile and autorization by x509 blob:
      using identity file testid_rsa-rsa_md5
      creating AuthorizedKeysFile
      * rsa_md5 valid blob done
      * rsa_md5 invalid blob done
    Permission denied (publickey).
      using identity file testid_rsa-dsa
      creating AuthorizedKeysFile
      * dsa valid blob done
      * dsa invalid blob done
    Permission denied (publickey).
    ...

    Since I couldn't get this to work I thought I'd skip
    the test and try my own certs, this is what I got
    with sshd debug:

    ...
    debug3: sshd_x509store_init() begin
    debug2: directory /usr/local/ca/newcerts added to x509 store
    debug2: file /usr/local/ca/newcerts/all.pem added to x509 store
    debug3: sshd_x509store_init() end
    debug1: sshd version OpenSSH_3.5p1
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    debug1: read PEM private key begin
    debug3: x509key_load_cert: PEM_read_X509 fail
    error:0906D06C:lib(9):func(109):reason(108)
    debug1: read PEM private key done: type RSA
    debug1: private host key: #0 type 1 RSA
    Disabling protocol version 1. Could not load host key
    socket: Address family not supported by protocol
    debug1: Bind to port 22 on 0.0.0.0.
    Server listening on 0.0.0.0 port 22.
    ...

    Is the host key still RSA1? RSA1, PEM, nor certificate
    wouldn't load. I used "ssh-keygen -b 2048 -t rsa -f ssh_host_rsa_key
    -N """ to create hostkey, maybe I wait for version f and try a host cert...

    TIA,

    cs

    -----Original Message-----
    From: Roumen.Petrov@skalasoft.com [mailto:Roumen.Petrov@skalasoft.com]
    Sent: Sunday, January 26, 2003 10:54 AM
    To: STEWARD, Curtis (Jamestown)
    Cc: 'An Lam'; 'secureshell@securityfocus.com'
    Subject: Re: Does OpenSSH support X.509 Certificate format?

      Hi Steward,

    Current version is "e". This version does not support CRLs.
    In version "e" we can use certificate as client and host key. We can
    add certificate to agent too.
    Next week I will annonce next version (f) with support for CRLs and some
    minor bigfixes and improvements.

    STEWARD, Curtis (Jamestown) wrote:

    >An,
    >
    >I stand corrected, I just found this link from the development
    >link:
    >
    >http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103790000604836&w=2
    >
    >I haven't tried it out yet, but it looks promising. Roumen can
    >we get an update on the patch, stability, when it'll be rolled
    >into the next release, etc.? I could really use this, it should
    >be escalated in priority for anyone involved with PKI, etc. I did
    >hear from the Globus folks, looks like GSI-Openssh will continue
    >to be maintained by NCSA, however list activity looks low...
    >
    >cs
    >
    >-----Original Message-----
    >From: STEWARD, Curtis (Jamestown)
    >Sent: Thursday, January 23, 2003 12:31 PM
    >To: 'An Lam'
    >Cc: 'secureshell@securityfocus.com'
    >Subject: RE: Does OpenSSH support X.509 Certificate format?
    >
    >
    >No, not to my understanding, the only Open
    >Source SSH flavour that I know of that does is
    >from Globus Toolkit 2 (standalone), the verdict
    >on GT3 (SOAP) is still out.
    >
    >http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/
    >
    >cs
    >
    >-----Original Message-----
    >From: An Lam [mailto:An.Lam@3pardata.com]
    >Sent: Wednesday, January 22, 2003 1:29 PM
    >To: 'secureshell@securityfocus.com'
    >Subject: Does OpenSSH support X.509 Certificate format?
    >
    >
    >Does anybody know if OpenSSH 3.4p1 support X.509 public key certificate
    >format?
    >
    >Thanks in advance!
    >An
    >
    >
    >

    Relevant Pages

    • Re: Does OpenSSH support X.509 Certificate format?
      ... This version does not support CRLs. ... In version "e" we can use certificate as client and host key. ... STEWARD, Curtis wrote: ...
      (SSH)
    • RE: netsh error - 1312
      ... \par Running the example from the article I was able to create the certificate ... \par Scott Norberg ... \par> Microsoft MSDN Online Support Lead ...
      (microsoft.public.dotnet.framework.webservices)
    • Re: American Currency
      ... but a leaning to the left does not support that there is one. ... but that does not create evidence for the claim Obama was born ... And this will all depend on IF the supreme court will even try ... And you'll notice that he did provide his birth certificate too. ...
      (comp.sys.mac.advocacy)
    • RE: OWA/Mobile not working + 1054 and 506 errors
      ... Regarding OMA in SBS 2003 server, ... untrusted certificate, or that simply do not support adding certificates at ...
      (microsoft.public.windows.server.sbs)
    • Re: 0x80072f17 - Cert problem?
      ... after changing to a third-party certificate created by an Intermediate CA, ... cert for my CA? ... I am getting the same support code: ... In Windows Mobile 5.0 it's easier. ...
      (microsoft.public.pocketpc.activesync)