RE: Does OpenSSH support X.509 Certificate format?

From: STEWARD, Curtis (Jamestown) (Curtis.Steward@goodrich.com)
Date: 04/11/03

  • Next message: Ben Lindstrom: "RE: allow only sftp?"
    From: "STEWARD, Curtis (Jamestown)" <Curtis.Steward@goodrich.com>
    To: "'kumar'" <kumareshind@gmx.net>, "STEWARD, Curtis (Jamestown)" <Curtis.Steward@goodrich.com>, Roumen.Petrov@skalasoft.com
    Date: Fri, 11 Apr 2003 08:37:36 -0400
    
    

    Haven't had a chance to play with the patch for quite awhile (other
    nonrelated 9.7 issues). I'd appreciate some help or clarification for x509
    as well. Over the next week maybe I can give it a shot with the current
    doc. Has anyone given 9.7 (SSL) a try with the latest patch?

    cs

    -----Original Message-----
    From: kumar [mailto:kumareshind@gmx.net]
    Sent: Friday, April 11, 2003 12:23 AM
    To: STEWARD, Curtis (Jamestown); Roumen.Petrov@skalasoft.com
    Cc: secureshell@securityfocus.com
    Subject: Re: Does OpenSSH support X.509 Certificate format?

    Hi All,

    Could any one shed some light on why this "Permission denied" problem
    occurs, when "make check" is run. Actually I am trying certificate
    authentication for OpenSSH-3.6.1p1 with Roumen's patch (version g) for X509.
    I am getting the same problem as reported here. The certificates are
    properly created, but the authentication fails. Am I missing any
    configuration issues.

    If somebody help me with exactly how I can configure OpenSSH for certificate
    authentication, that would be great.

    Thanks
    Kumaresh.

    > Roumen,
    >
    > FYI, no luck yet on the current patch (e), can't get around
    > "Permission denied" in the make check, perhaps cert mapping?
    >
    > Tests begin.
    > =======================================================================
    > * against CACertificateFile and autorization by x509 blob:
    > using identity file testid_rsa-rsa_md5
    > creating AuthorizedKeysFile
    > * rsa_md5 valid blob done
    > * rsa_md5 invalid blob done
    > Permission denied (publickey).
    > using identity file testid_rsa-dsa
    > creating AuthorizedKeysFile
    > * dsa valid blob done
    > * dsa invalid blob done
    > Permission denied (publickey).
    > ...
    >
    > Since I couldn't get this to work I thought I'd skip
    > the test and try my own certs, this is what I got
    > with sshd debug:
    >
    > ...
    > debug3: sshd_x509store_init() begin
    > debug2: directory /usr/local/ca/newcerts added to x509 store
    > debug2: file /usr/local/ca/newcerts/all.pem added to x509 store
    > debug3: sshd_x509store_init() end
    > debug1: sshd version OpenSSH_3.5p1

    > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    > debug1: read PEM private key begin
    > debug3: x509key_load_cert: PEM_read_X509 fail
    > error:0906D06C:lib(9):func(109):reason(108)
    > debug1: read PEM private key done: type RSA
    > debug1: private host key: #0 type 1 RSA
    > Disabling protocol version 1. Could not load host key
    > socket: Address family not supported by protocol
    > debug1: Bind to port 22 on 0.0.0.0.
    > Server listening on 0.0.0.0 port 22.
    > ...
    >
    > Is the host key still RSA1? RSA1, PEM, nor certificate
    > wouldn't load. I used "ssh-keygen -b 2048 -t rsa -f ssh_host_rsa_key
    > -N """ to create hostkey, maybe I wait for version f and try a host
    cert...
    >
    > TIA,
    >
    > cs
    >
    > -----Original Message-----
    > From: Roumen.Petrov@skalasoft.com [mailto:Roumen.Petrov@skalasoft.com]
    > Sent: Sunday, January 26, 2003 10:54 AM
    > To: STEWARD, Curtis (Jamestown)
    > Cc: 'An Lam'; 'secureshell@securityfocus.com'
    > Subject: Re: Does OpenSSH support X.509 Certificate format?
    >
    >
    > Hi Steward,
    >
    > Current version is "e". This version does not support CRLs.
    > In version "e" we can use certificate as client and host key. We can
    > add certificate to agent too.
    > Next week I will annonce next version (f) with support for CRLs and some
    > minor bigfixes and improvements.
    >
    >
    > STEWARD, Curtis (Jamestown) wrote:
    >
    > >An,
    > >
    > >I stand corrected, I just found this link from the development
    > >link:
    > >
    > >http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103790000604836&w=2
    > >
    > >I haven't tried it out yet, but it looks promising. Roumen can
    > >we get an update on the patch, stability, when it'll be rolled
    > >into the next release, etc.? I could really use this, it should
    > >be escalated in priority for anyone involved with PKI, etc. I did
    > >hear from the Globus folks, looks like GSI-Openssh will continue
    > >to be maintained by NCSA, however list activity looks low...
    > >
    > >cs
    > >
    > >-----Original Message-----
    > >From: STEWARD, Curtis (Jamestown)
    > >Sent: Thursday, January 23, 2003 12:31 PM
    > >To: 'An Lam'
    > >Cc: 'secureshell@securityfocus.com'
    > >Subject: RE: Does OpenSSH support X.509 Certificate format?
    > >
    > >
    > >No, not to my understanding, the only Open
    > >Source SSH flavour that I know of that does is
    > >from Globus Toolkit 2 (standalone), the verdict
    > >on GT3 (SOAP) is still out.
    > >
    > >http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/
    > >
    > >cs
    > >
    > >-----Original Message-----
    > >From: An Lam [mailto:An.Lam@3pardata.com]
    > >Sent: Wednesday, January 22, 2003 1:29 PM
    > >To: 'secureshell@securityfocus.com'
    > >Subject: Does OpenSSH support X.509 Certificate format?
    > >
    > >
    > >Does anybody know if OpenSSH 3.4p1 support X.509 public key certificate
    > >format?
    > >
    > >Thanks in advance!
    > >An
    > >
    > >
    > >
    >


  • Next message: Ben Lindstrom: "RE: allow only sftp?"

    Relevant Pages

    • Re: MS02-050 CAVEAT?
      ... The revised patch should be quite sophisticated, ... That's why it's a good idea to require Basic Constraints. ... Constraints by the certificate usage. ...
      (microsoft.public.security)
    • Removable storage error and IMAP4 error
      ... I think in the first instance you need to put this ... removable storage problem. ... >When i installed the latest patch 828028 the server ... >Of course nothing has changed in the SSL certificate ...
      (microsoft.public.exchange2000.admin)
    • Re: [RFD] Explicitly documenting patch submission
      ... > we put in more of a process to explicitly document not only where a patch ... > Certificate of Origin" with a random collection of other kernel ... > developers. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: Does OpenSSH support X.509 Certificate format?
      ... authentication for OpenSSH-3.6.1p1 with Roumen's patch for X509. ... If somebody help me with exactly how I can configure OpenSSH for certificate ... > To: STEWARD, Curtis ...
      (SSH)
    • *Warning* long post - OpenSSH patch to allow requiring *both* public key and password auth
      ... I am submitting this patch to both the OpenBSD tech mailing list and the ... authentication is done twice, both ... retrieving revision 1.5 ... diff -u -d -r1.63 monitor.c ...
      (SSH)