Hosting Provided By

Re: Does OpenSSH support X.509 Certificate format?

From: <openssh(at)roumenpetrov.info>
Date: Fri Apr 11 2003 - 02:50:19 EDT

Hi All,

from README.x509v3:
=============================================================
[SNIP]
3.) test x509 certificates.

3.1.) In openssh build dir run "make check".
[SNIP]
Some command in a test script must fail. Part of "simple information"
about command expected fail is in RED(!). When command fail script print
"done" (THIS IS CORRECT - COMMAND MUST FAIL) and on next lines print in
GREEN(!) response. Usualy this occur when server reject logon.
WHEN ALL TESTS SUCCEED output is:
....
Testing OpenSSH client with certificates finished.
status:                                                        done
....
Note that "done" is in GREEN(!) and exit code is ZERO(!).
[SNIP]
=============================================================

test results:
=============================================================
[SNIP]
creating AuthorizedKeysFile
* rsa_md5 valid blob                                                done
* rsa_md5 invalid blob                                              done
Permission denied (publickey).
[SNIP]
Begin test with CA CRL file(CARevocationFile):
* testid_rsa-rsa_md5                                                done
* testid_rsa-rsa_md5-revoked !                                done
Permission denied (publickey).
[SNIP]
=============================================================
word "invalid" or symbol '!' are in RED, word at right is "done" in GREEN, response is in GREEN => all is O.K., i.e. server must reject logon.

When part form READE.x509v3 about test is not clear please help me to improve/clarify text.

kumar wrote:

Hi All,

Could any one shed some light on why this "Permission denied" problem
occurs, when "make check" is run. Actually I am trying certificate
authentication for OpenSSH-3.6.1p1 with Roumen's patch (version g) for X509.
I am getting the same problem as reported here. The certificates are
properly created, but the authentication fails. Am I missing any
configuration issues.

If somebody help me with exactly how I can configure OpenSSH for certificate
authentication, that would be great.

Thanks
Kumaresh.

Roumen,

FYI, no luck yet on the current patch (e), can't get around
"Permission denied" in the make check, perhaps cert mapping?

Tests begin.
=======================================================================
* against CACertificateFile and autorization by x509 blob:
  using identity file testid_rsa-rsa_md5
  creating AuthorizedKeysFile
  * rsa_md5 valid blob                                               done
  * rsa_md5 invalid blob                                             done
Permission denied (publickey).
  using identity file testid_rsa-dsa
  creating AuthorizedKeysFile
  * dsa valid blob                                                   done
  * dsa invalid blob                                                 done
Permission denied (publickey).
...

Since I couldn't get this to work I thought I'd skip
the test and try my own certs, this is what I got
with sshd debug:

...
debug3: sshd_x509store_init() begin
debug2: directory /usr/local/ca/newcerts added to x509 store
debug2: file /usr/local/ca/newcerts/all.pem added to x509 store
debug3: sshd_x509store_init() end
debug1: sshd version OpenSSH_3.5p1

 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.

debug1: read PEM private key begin
debug3: x509key_load_cert: PEM_read_X509 fail
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
Disabling protocol version 1. Could not load host key
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
...

Is the host key still RSA1?  RSA1, PEM, nor certificate
wouldn't load.  I used "ssh-keygen -b 2048 -t rsa -f ssh_host_rsa_key
-N """ to create hostkey, maybe I wait for version f and try a host

cert...

TIA,

cs

-----Original Message-----
From: 
Roumen.Petrov@skalasoft.com [
mailto:Roumen.Petrov@skalasoft.com]
Sent: Sunday, January 26, 2003 10:54 AM
To: STEWARD, Curtis (Jamestown)
Cc: 'An Lam'; '
secureshell@securityfocus.com'
Subject: Re: Does OpenSSH support X.509 Certificate format?

  Hi Steward,

Current version is "e". This version does not support CRLs.
In version "e"  we can use certificate as client and host key. We can
add certificate to agent too.
Next week I will annonce next version (f) with support for CRLs and some
minor bigfixes and improvements.

STEWARD, Curtis (Jamestown) wrote:

An,

I stand corrected, I just found this link from the development
link:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103790000604836&w=2

I haven't tried it out yet, but it looks promising.  Roumen can
we get an update on the patch, stability, when it'll be rolled
into the next release, etc.?  I could really use this, it should
be escalated in priority for anyone involved with PKI, etc.  I did
hear from the Globus folks, looks like GSI-Openssh will continue
to be maintained by NCSA, however list activity looks low...

cs

-----Original Message-----
From: STEWARD, Curtis (Jamestown)
Sent: Thursday, January 23, 2003 12:31 PM
To: 'An Lam'
Cc: '
secureshell@securityfocus.com'
Subject: RE: Does OpenSSH support X.509 Certificate format?


No, not to my understanding, the only Open
Source SSH flavour that I know of that does is
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

>from Globus Toolkit 2 (standalone), the verdict

on GT3 (SOAP) is still out.
http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/

cs

-----Original Message-----
From: An Lam [
mailto:An.Lam@3pardata.com]
Sent: Wednesday, January 22, 2003 1:29 PM
To: '
secureshell@securityfocus.com'
Subject: Does OpenSSH support X.509 Certificate format?

Does anybody know if OpenSSH 3.4p1 support X.509 public key certificate
format?

Thanks in advance!
An

Received on Fri Apr 11 18:00:33 2003

This message: [ Message body ]
Next message: Jean-Jacques DOTI: "Re: allow only sftp?"
Previous message: andy: "Re: allow only sftp?"
In reply to: kumar: "Re: Does OpenSSH support X.509 Certificate format?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:57 EDT