Hi all, I'm trying to install ssh server based on x509 certificates with no result. What I've done is the following: - Build openssh4.7p1 after patching with openssh-4.7p1+x509-6.1.diff.gz without error using ./configure --prefix=/opt/ssh && make && make install in both server and client machines - Create minimal openssl ca structure under /opt/ssh/etc/ca ( self signed CA certificate, server certificate signed by CA, client certificate signed by CA ). I now have certificates cacert.pem, server.pem and client.pem and keys for all three - Build server host id using (under /opt/ssh/etc): cat server-key.pem > ssh_host_key_cert cat server.pem >> ssh_host_key_cert chmod 0600 ssh_host_key_cert ../bin/ssh-keygen -y > ssh_host_key_cert.pub // entering ssh_host_key_cert as key - Changing /opt/ssh/etc/sshd_config: CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem Port 4422 X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 AllowedCertPurpose sslclient PasswordAuthentication no - Customizing server user configuration cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys - Now __On client machine__ (after copying, client.pem, client-key.pem and cacert.pem) - Build identity - cat ~/.ssh/client-key.pem > /.ssh/id_rsa - cat ~/.ssh/client.pem >> ~/.ssh/id_rsa - chmod 0600 ~/.ssh/id_rsa - /opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub // entering ~/.ssh/id_rsa as key - Introducing following changes into /opt/ssh/etc/ssh_config Port 4422 IdentityFile ~/.ssh/id_rsa UserCACertificateFile ~/.ssh/cacert.pem UserCACertificatePath ~/.ssh/crt UserCARevocationFile ~/.ssh/ca-bundle.crl UserCARevocationPath ~/.ssh/crl Finally lauching sshd on server with command: /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d And client with: /opt/ssh/bin/ssh-agent /opt/ssh/bin/ssh-add /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d \ myuser at myserver Which output is: The authenticity of host '[myserver]:4422 ([192.168.0.201]:4422)' can't be established. RSA+cert key fingerprint is 4c:3a:1b:2d:40:23:1d:99:aa:d2:eb:b3:28:8c:d2:d4. Distinguished name is 'C=ES,ST=Madrid,O=blub,CN=Server'. Are you sure you want to continue connecting (yes/no)? yes But I get 'Permission denied (publickey,keyboard-interactive)' error. I've sshd and ssh outputs but are quite long, I'll append them if above configuration seems ok. Many thanks in advance. Best regards, Jorge
Jorge Abrines wrote:> Hi all, > > I'm trying to install ssh server based on x509 certificates with no > result. What I've done is the following: > - Build openssh4.7p1 after patching with openssh-4.7p1+x509-6.1.diff.gz > without error using ./configure --prefix=/opt/ssh && make && make > install in both server and client machines > > - Create minimal openssl ca structure under /opt/ssh/etc/ca > ( self signed CA certificate, server certificate signed by CA, > client certificate signed by CA ). > I now have certificates cacert.pem, server.pem and client.pem and > keys for all three > > - Build server host id using (under /opt/ssh/etc): > cat server-key.pem > ssh_host_key_cert > cat server.pem >> ssh_host_key_cert > chmod 0600 ssh_host_key_cert > ../bin/ssh-keygen -y > ssh_host_key_cert.pub > // entering ssh_host_key_cert as key >i.e. HostKey /opt/ssh/etc/ssh_host_key_cert is in sshd_config ?> - Changing /opt/ssh/etc/sshd_config: > CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem > Port 4422 > X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 > X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 > AllowedCertPurpose sslclient > PasswordAuthentication no >Fine but I assume that rest is left to default.> - Customizing server user configuration > > cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys >Why ? Append client public part in authorized keys.> - Now __On client machine__ (after copying, client.pem, client-key.pem > and cacert.pem) > > - Build identity > - cat ~/.ssh/client-key.pem > /.ssh/id_rsa > - cat ~/.ssh/client.pem >> ~/.ssh/id_rsa > - chmod 0600 ~/.ssh/id_rsa > - /opt/ssh/bin/ssh-keygen -y > ~/.ssh/id_rsa.pub > // entering ~/.ssh/id_rsa as key >Copy id_rsa.pub to server and append to authorized keys file.> - Introducing following changes into /opt/ssh/etc/ssh_config > Port 4422 > IdentityFile ~/.ssh/id_rsa > UserCACertificateFile ~/.ssh/cacert.pem > UserCACertificatePath ~/.ssh/crt > UserCARevocationFile ~/.ssh/ca-bundle.crl > UserCARevocationPath ~/.ssh/crl > > > Finally lauching sshd on server with > command: > > /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config -d -d -d > > And client with: > /opt/ssh/bin/ssh-agent > /opt/ssh/bin/ssh-add > /opt/ssh/bin/ssh -vvv -f /opt/ssh/etc/ssh_config -d -d -d \ > myuser at myserver > > Which output is: > > The authenticity of host '[myserver]:4422 ([192.168.0.201]:4422)' can't > be established. > RSA+cert key fingerprint is > 4c:3a:1b:2d:40:23:1d:99:aa:d2:eb:b3:28:8c:d2:d4. > Distinguished name is 'C=ES,ST=Madrid,O=blub,CN=Server'. > Are you sure you want to continue connecting (yes/no)? yes > > But I get 'Permission denied (publickey,keyboard-interactive)' error. > I've sshd and ssh outputs but are quite long, I'll append them if > above configuration seems ok. > > Many thanks in advance. > > Best regards, > > Jorge > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/