RE: Does OpenSSH support X.509 Certificate format?
From: STEWARD, Curtis (Jamestown) (Curtis.Steward@goodrich.com)
Date: 04/11/03
- Previous message: Graeme Vetterlein: "RE: allow only sftp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "STEWARD, Curtis (Jamestown)" <Curtis.Steward@goodrich.com> To: "'kumar'" <kumareshind@gmx.net>, "STEWARD, Curtis (Jamestown)" <Curtis.Steward@goodrich.com>, Roumen.Petrov@skalasoft.com Date: Fri, 11 Apr 2003 08:37:36 -0400
Haven't had a chance to play with the patch for quite awhile (other
nonrelated 9.7 issues). I'd appreciate some help or clarification for x509
as well. Over the next week maybe I can give it a shot with the current
doc. Has anyone given 9.7 (SSL) a try with the latest patch?
cs
-----Original Message-----
From: kumar [mailto:kumareshind@gmx.net]
Sent: Friday, April 11, 2003 12:23 AM
To: STEWARD, Curtis (Jamestown); Roumen.Petrov@skalasoft.com
Cc: secureshell@securityfocus.com
Subject: Re: Does OpenSSH support X.509 Certificate format?
Hi All,
Could any one shed some light on why this "Permission denied" problem
occurs, when "make check" is run. Actually I am trying certificate
authentication for OpenSSH-3.6.1p1 with Roumen's patch (version g) for X509.
I am getting the same problem as reported here. The certificates are
properly created, but the authentication fails. Am I missing any
configuration issues.
If somebody help me with exactly how I can configure OpenSSH for certificate
authentication, that would be great.
Thanks
Kumaresh.
> Roumen,
>
> FYI, no luck yet on the current patch (e), can't get around
> "Permission denied" in the make check, perhaps cert mapping?
>
> Tests begin.
> =======================================================================
> * against CACertificateFile and autorization by x509 blob:
> using identity file testid_rsa-rsa_md5
> creating AuthorizedKeysFile
> * rsa_md5 valid blob done
> * rsa_md5 invalid blob done
> Permission denied (publickey).
> using identity file testid_rsa-dsa
> creating AuthorizedKeysFile
> * dsa valid blob done
> * dsa invalid blob done
> Permission denied (publickey).
> ...
>
> Since I couldn't get this to work I thought I'd skip
> the test and try my own certs, this is what I got
> with sshd debug:
>
> ...
> debug3: sshd_x509store_init() begin
> debug2: directory /usr/local/ca/newcerts added to x509 store
> debug2: file /usr/local/ca/newcerts/all.pem added to x509 store
> debug3: sshd_x509store_init() end
> debug1: sshd version OpenSSH_3.5p1
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key begin
> debug3: x509key_load_cert: PEM_read_X509 fail
> error:0906D06C:lib(9):func(109):reason(108)
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> Disabling protocol version 1. Could not load host key
> socket: Address family not supported by protocol
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> ...
>
> Is the host key still RSA1? RSA1, PEM, nor certificate
> wouldn't load. I used "ssh-keygen -b 2048 -t rsa -f ssh_host_rsa_key
> -N """ to create hostkey, maybe I wait for version f and try a host
cert...
>
> TIA,
>
> cs
>
> -----Original Message-----
> From: Roumen.Petrov@skalasoft.com [mailto:Roumen.Petrov@skalasoft.com]
> Sent: Sunday, January 26, 2003 10:54 AM
> To: STEWARD, Curtis (Jamestown)
> Cc: 'An Lam'; 'secureshell@securityfocus.com'
> Subject: Re: Does OpenSSH support X.509 Certificate format?
>
>
> Hi Steward,
>
> Current version is "e". This version does not support CRLs.
> In version "e" we can use certificate as client and host key. We can
> add certificate to agent too.
> Next week I will annonce next version (f) with support for CRLs and some
> minor bigfixes and improvements.
>
>
> STEWARD, Curtis (Jamestown) wrote:
>
> >An,
> >
> >I stand corrected, I just found this link from the development
> >link:
> >
> >http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103790000604836&w=2
> >
> >I haven't tried it out yet, but it looks promising. Roumen can
> >we get an update on the patch, stability, when it'll be rolled
> >into the next release, etc.? I could really use this, it should
> >be escalated in priority for anyone involved with PKI, etc. I did
> >hear from the Globus folks, looks like GSI-Openssh will continue
> >to be maintained by NCSA, however list activity looks low...
> >
> >cs
> >
> >-----Original Message-----
> >From: STEWARD, Curtis (Jamestown)
> >Sent: Thursday, January 23, 2003 12:31 PM
> >To: 'An Lam'
> >Cc: 'secureshell@securityfocus.com'
> >Subject: RE: Does OpenSSH support X.509 Certificate format?
> >
> >
> >No, not to my understanding, the only Open
> >Source SSH flavour that I know of that does is
> >from Globus Toolkit 2 (standalone), the verdict
> >on GT3 (SOAP) is still out.
> >
> >http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/
> >
> >cs
> >
> >-----Original Message-----
> >From: An Lam [mailto:An.Lam@3pardata.com]
> >Sent: Wednesday, January 22, 2003 1:29 PM
> >To: 'secureshell@securityfocus.com'
> >Subject: Does OpenSSH support X.509 Certificate format?
> >
> >
> >Does anybody know if OpenSSH 3.4p1 support X.509 public key certificate
> >format?
> >
> >Thanks in advance!
> >An
> >
> >
> >
>
- Previous message: Graeme Vetterlein: "RE: allow only sftp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
