getting host certificates working



Hi there

I currently trying certificate based authentication with ssh and was
successful with user authentication, but failed to configure host
authentication.

I have the newest and shiniest version:

kb@kb-pc:~$ ssh -v
OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009

Created a CA key:

ssh-keygen -t dsa -f ca_root

Signed the host key:

ssh-keygen -s ca_root -I kb-pc -h /usr/local/etc/ssh_host_dsa_key.pub

Added the certificate after the host key to /usr/local/etc/sshd_config:

HostKey /usr/local/etc/ssh_host_dsa_key
HostCertificate /usr/local/etc/ssh_host_dsa_key-cert.pub

Added the CA public key to ~/.ssh/known_hosts:

@cert-authority * ssh-dss AAAAB3NzaC1kc3MAA...

and tried to log in:

kb@kb-pc:~$ ssh -v root@localhost
OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/kb/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/kb/.ssh/id_rsa type -1
debug1: identity file /home/kb/.ssh/id_rsa-cert type -1
debug1: identity file /home/kb/.ssh/id_dsa type 2
debug1: ssh_dss_verify: signature correct
debug1: identity file /home/kb/.ssh/id_dsa-cert type 4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (::1)' can't be established.
DSA key fingerprint is 96:2e:ae:c2:4a:b8:24:0d:ee:1d:18:73:29:ad:72:e8.
Are you sure you want to continue connecting (yes/no)?

Which was not the result I expected. do I miss something?

strace /usr/local/sbin/sshd

indicates that the cerificate is read:

munmap(0xb774a000, 4096) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 1454) = 1454
close(3) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb774a000
read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 4096) = 1454
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb774a000, 4096) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb774a000
read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 4096) = 1454
close(3) = 0


Any idea?

Thanks and regards

Konrad Bucheli

--
konrad bucheli
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 44 455 74 00
f: +41 44 455 74 01
kb@xxxxxxx

http://www.open.ch



Relevant Pages

  • Re: authentication problem
    ... I have an authentication issue with ssh that i'd like to ask for clues ... i have created a local host key, ... but owner? ...
    (Fedora)
  • [SLE] Slow SSH login
    ... A> ssh B ... second delay no matter the authentication mechanism ... debug1: Authentication succeeded. ...
    (SuSE)
  • LDAP Authentication via SSH
    ... authenticate via SSH to the LDAP server. ... debug1: Connecting to ldapclient.domain port 22. ... debug1: Next authentication method: keyboard-interactive ... # rlogin service (explicit because of pam_rhost_auth) ...
    (SunManagers)
  • Re: ssh X11 forwarding problem
    ... ForwardX11 yes ... back in with 'ssh -X' and tried xeyes again and it says: Error: Can't ... With the other network's host it automatically set it to ... debug1: Authentication succeeded. ...
    (Debian-User)
  • Help request: problems with a 5.1 server and large numbers of ssh users.
    ... FreeBSD 5.1 because I need to be able to support ldap authentication.) ... My version of ssh is 3.6.1p2 patched to address the security concerns. ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ...
    (freebsd-current)