Hosting Provided By

RE: Does OpenSSH support X.509 Certificate format?

From: STEWARD, Curtis (Jamestown) <Curtis.Steward(at)goodrich.com>
Date: Mon Jan 27 2003 - 17:25:44 EST

Roumen,

FYI, no luck yet on the current patch (e), can't get around "Permission denied" in the make check, perhaps cert mapping?

Tests begin.

against CACertificateFile and autorization by x509 blob: using identity file testid_rsa-rsa_md5 creating AuthorizedKeysFile
- rsa_md5 valid blob done
- rsa_md5 invalid blob done Permission denied (publickey). using identity file testid_rsa-dsa creating AuthorizedKeysFile
- dsa valid blob done
- dsa invalid blob done Permission denied (publickey). ...

Since I couldn't get this to work I thought I'd skip the test and try my own certs, this is what I got with sshd debug:

...

debug3: sshd_x509store_init() begin
debug2: directory /usr/local/ca/newcerts added to x509 store
debug2: file /usr/local/ca/newcerts/all.pem added to x509 store
debug3: sshd_x509store_init() end
debug1: sshd version OpenSSH_3.5p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key begin
debug3: x509key_load_cert: PEM_read_X509 fail

error:0906D06C:lib(9):func(109):reason(108) debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA
Disabling protocol version 1. Could not load host key socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
...

Is the host key still RSA1? RSA1, PEM, nor certificate wouldn't load. I used "ssh-keygen -b 2048 -t rsa -f ssh_host_rsa_key -N """ to create hostkey, maybe I wait for version f and try a host cert...

TIA, cs

-----Original Message-----
From: Roumen.Petrov@skalasoft.com [mailto:Roumen.Petrov@skalasoft.com] Sent: Sunday, January 26, 2003 10:54 AM
To: STEWARD, Curtis (Jamestown)
Cc: 'An Lam'; 'secureshell@securityfocus.com' Subject: Re: Does OpenSSH support X.509 Certificate format?

Do you need help?

Hi Steward,

Current version is "e". This version does not support CRLs. In version "e" we can use certificate as client and host key. We can add certificate to agent too.
Next week I will annonce next version (f) with support for CRLs and some minor bigfixes and improvements.

STEWARD, Curtis (Jamestown) wrote:

>An,
>
>I stand corrected, I just found this link from the development
Received on Wed Jan 29 10:28:05 2003

This message: [ Message body ]
Next message: Slav Inger: "SSH and Kerberos 5"
Previous message: An Lam: "FW: Problem authenticating the user on Linux (Resolved!)"
Maybe in reply to: An Lam: "Does OpenSSH support X.509 Certificate format?"
In reply to STEWARD, Curtis (Jamestown): "RE: Does OpenSSH support X.509 Certificate format?"
Next in thread: kumar: "Re: Does OpenSSH support X.509 Certificate format?"
Reply: kumar: "Re: Does OpenSSH support X.509 Certificate format?"
Reply: STEWARD, Curtis (Jamestown): "RE: Does OpenSSH support X.509 Certificate format?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:52 EDT