Re: Patch for OpenSSH for Windows to allow authentication through certificates



Hi Roumen,

I fixed the certificate validation, so it return 1(trusted) now, but I
still can’t go on. After everything seem to be OK, certificate
validated,
Client tries to authenticate with keyboard.interactive. This of course
doesn’t work and connection is closed.

Here is output from server (started with option -d):
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key begin
debug1: read X509 certificate done: type RSA+cert
debug1: read PEM private key done: type RSA+cert
debug1: private host key: #0 type 3 RSA+cert
debug1: rexec_argv[0]='/usr/local/openssh/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.3.3.10 port 1080
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 1001/1001
debug1: list_hostkey_types: x509v3-sign-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user administrator service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: userauth-request for user administrator service ssh-connection
method keyboard-interactive
debug1: attempt 1 failures 0
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=administrator devs=
debug1: kbdint_alloc: devices ''
Connection closed by 10.3.3.10
debug1: do_cleanup

and ouput from client (started with option -v):
OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
debug1: Reading configuration data c:\\openssh\\bin\\ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to 10.3.3.12 [10.3.3.12] port 22.
debug1: Connection established.
debug1: identity file C:/OpenSSH/Certs/id_rsa type 3
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.3.3.12' is known and matches the RSA+cert host key.
debug1: Found key in /home/Administrator.JOGE/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.

What did I miss?
Thank you,
Adriana.


On Sat, Mar 7, 2009 at 22:49, Roumen Petrov <openssh@xxxxxxxxxxxxxxxxx> wrote:
Hi Adriana ,
Adriana Rodean wrote:

Hi all,

We patched it on cygwin and got executables to run, but when I try to
connect to server I got the following from client:



Debug3: ssh_x509cert_check: for ‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty
Ltd’

ssh_x509store_cb: subject=‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’,
error

20 at 0 depth lookup:unable to get local issuer certificate

Ssh_verify_cert: verify error, code=20, msg=’ unable to get local
issuer certificate’

I run executable under Windows with cygwin dlls in same folder.

Thank you,
Adriana.


To verify server certificate you need "trust certificate chain".
See ssh_config manual page for "x509_store" optionslike CACertificateFile
and CACertificatePath and also UserCACertificateFile and
UserCACertificatePath.

You could check openssh x509 store with openssl command:
$ openssl --verify [-CApath directory] [-CAfile file] certificate

In you case openssl arguments -CApath -CAfile correspond to openssh config
options {|User}CACertificatePath {|User}CACertificateFile and certificate is
you server certificate.

Roumen