This (very quick) patch allows you to connect with the commercial
ssh.com windows client and use x509 certs for hostkeys. You have
to import your CA cert (ca.crt) in the windows client and certify
your hostkey:
$ cat << 'EOF' > x509v3.cnf
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign
CERTIP = 0.0.0.0
[x509v3_CA]
basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
keyUsage=$ENV::CERTUSAGE
[x509v3_IPAddr]
subjectAltName=IP:$ENV::CERTIP
[x509v3_DNSName]
subjectAltName=DNS:$ENV::CERTDNS
EOF
$ CERTDNS=myipaddr; export CERTDNS
$ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr
$ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial \
-extfile x509v3.cnf -extensions x509v3_DNSName \
-out HOSTKEY.crt
$ umask 077
$ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert
$ echo HostKey /etc/ssh_host_rsa_key+cert > sshd_config-test
$ sudo sshd -p 2222 -ddd -f sshd_config-test
Index: authfile.c
==================================================================RCS file:
/home/markus/cvs/ssh/authfile.c,v
retrieving revision 1.45
diff -u -r1.45 authfile.c
--- authfile.c 29 Dec 2001 21:56:01 -0000 1.45
+++ authfile.c 31 Jan 2002 10:50:53 -0000
@@ -460,6 +460,24 @@
error("PEM_read_PrivateKey: mismatch or "
"unknown EVP_PKEY save_type %d", pk->save_type);
}
+ if (prv != NULL) {
+ /* try to get a certificate if we have the private key */
+ prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase);
+ if (prv->x509 != NULL) {
+ debug("PEM_read_X509");
+#ifdef DEBUG_X509
+ X509_print_fp(stdout, prv->x509);
+ {
+ EVP_PKEY *pkey = X509_get_pubkey(prv->x509);
+ if (pkey->type == EVP_PKEY_RSA) {
+ debug("PEM_read_X509 -> RSA");
+ } else if (pkey->type == EVP_PKEY_DSA) {
+ debug("PEM_read_X509 -> DSA");
+ }
+ }
+#endif
+ }
+ }
fclose(fp);
if (pk != NULL)
EVP_PKEY_free(pk);
Index: key.c
==================================================================RCS file:
/home/markus/cvs/ssh/key.c,v
retrieving revision 1.39
diff -u -r1.39 key.c
--- key.c 25 Jan 2002 22:07:40 -0000 1.39
+++ key.c 31 Jan 2002 10:26:53 -0000
@@ -53,10 +53,12 @@
RSA *rsa;
DSA *dsa;
k = xmalloc(sizeof(*k));
+ memset(k, 0, sizeof(*k));
k->type = type;
k->flags = 0;
k->dsa = NULL;
k->rsa = NULL;
+ k->x509 = NULL;
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
@@ -141,6 +143,10 @@
fatal("key_free: bad key type %d", k->type);
break;
}
+ if (k->x509 != NULL) {
+ X509_free(k->x509);
+ k->x509 = NULL;
+ }
xfree(k);
}
int
@@ -538,6 +544,8 @@
{
switch (k->type) {
case KEY_RSA:
+ if (k->x509)
+ return "x509v3-sign-rsa";
return "ssh-rsa";
break;
case KEY_DSA:
@@ -641,6 +649,10 @@
return KEY_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return KEY_DSA;
+ } else if (strcmp(name, "x509v3-sign-rsa") == 0) {
+ return KEY_RSA;
+ } else if (strcmp(name, "x509v3-sign-dss") == 0) {
+ return KEY_DSA;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
@@ -739,9 +751,16 @@
buffer_put_bignum2(&b, key->dsa->pub_key);
break;
case KEY_RSA:
- buffer_put_cstring(&b, key_ssh_name(key));
- buffer_put_bignum2(&b, key->rsa->e);
- buffer_put_bignum2(&b, key->rsa->n);
+ if (key->x509) {
+ /* XXX ssh.com does not accept a key name here */
+ len = i2d_X509(key->x509, NULL);
+ buf = buffer_append_space(&b, len);
+ i2d_X509(key->x509, &buf);
+ } else {
+ buffer_put_cstring(&b, key_ssh_name(key));
+ buffer_put_bignum2(&b, key->rsa->e);
+ buffer_put_bignum2(&b, key->rsa->n);
+ }
break;
default:
error("key_to_blob: unsupported key type %d", key->type);
Index: key.h
==================================================================RCS file:
/home/markus/cvs/ssh/key.h,v
retrieving revision 1.17
diff -u -r1.17 key.h
--- key.h 17 Sep 2001 19:27:15 -0000 1.17
+++ key.h 30 Jan 2002 15:23:11 -0000
@@ -28,6 +28,7 @@
#include <openssl/rsa.h>
#include <openssl/dsa.h>
+#include <openssl/x509.h>
typedef struct Key Key;
enum types {
@@ -53,6 +54,7 @@
int flags;
RSA *rsa;
DSA *dsa;
+ X509 *x509;
};
Key *key_new(int);
Index: ssh-rsa.c
==================================================================RCS file:
/home/markus/cvs/ssh/ssh-rsa.c,v
retrieving revision 1.15
diff -u -r1.15 ssh-rsa.c
--- ssh-rsa.c 25 Jan 2002 21:42:11 -0000 1.15
+++ ssh-rsa.c 31 Jan 2002 09:23:53 -0000
@@ -91,7 +91,11 @@
}
/* encode signature */
buffer_init(&b);
+#if 0
buffer_put_cstring(&b, "ssh-rsa");
+#else
+ buffer_put_cstring(&b, key_ssh_name(key));
+#endif
buffer_put_string(&b, sig, slen);
len = buffer_len(&b);
ret = xmalloc(len);
Quick question... what is $ENV set to in your environment for the "cat" command or does your shell not do "$" subs within "<<" sections? Thanks, Ed On Thu, 31 Jan 2002, Markus Friedl wrote:> Date: Thu, 31 Jan 2002 12:09:10 +0100 > From: Markus Friedl <markus at openbsd.org> > To: openssh at openbsd.org, openssh-unix-dev at mindrot.org > Subject: x509 for hostkeys. > > This (very quick) patch allows you to connect with the commercial > ssh.com windows client and use x509 certs for hostkeys. You have > to import your CA cert (ca.crt) in the windows client and certify > your hostkey: > > $ cat << 'EOF' > x509v3.cnf > CERTPATHLEN = 1 > CERTUSAGE = digitalSignature,keyCertSign > CERTIP = 0.0.0.0 > [x509v3_CA] > basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN > keyUsage=$ENV::CERTUSAGE > [x509v3_IPAddr] > subjectAltName=IP:$ENV::CERTIP > [x509v3_DNSName] > subjectAltName=DNS:$ENV::CERTDNS > EOF > $ CERTDNS=myipaddr; export CERTDNS > $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr > $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \ > -CAkey ca.key -CAcreateserial \ > -extfile x509v3.cnf -extensions x509v3_DNSName \ > -out HOSTKEY.crt > $ umask 077 > $ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert > $ echo HostKey /etc/ssh_host_rsa_key+cert > sshd_config-test > $ sudo sshd -p 2222 -ddd -f sshd_config-testEd Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
who did try this? no success stories? no feedback? no comments? no x509 in openssh-3.1? On Thu, Jan 31, 2002 at 12:09:10PM +0100, Markus Friedl wrote:> This (very quick) patch allows you to connect with the commercial > ssh.com windows client and use x509 certs for hostkeys. You have > to import your CA cert (ca.crt) in the windows client and certify > your hostkey:
On Fri, Feb 08, 2002 at 01:59:21PM +0100, Markus Friedl wrote:> who did try this? > no success stories? > no feedback? > no comments? > no x509 in openssh-3.1?maybe openssh (and putty) are successful enough that no one cares about the commercial windows client. :) -- Mike Stone
On Fri, 8 Feb 2002, Michael Stone wrote:> Date: Fri, 8 Feb 2002 08:30:18 -0500 > From: Michael Stone <mstone at cs.loyola.edu> > To: openssh-unix-dev at mindrot.org > Subject: Re: x509 for hostkeys. > > On Fri, Feb 08, 2002 at 01:59:21PM +0100, Markus Friedl wrote: > > who did try this? > > no success stories? > > no feedback? > > no comments? > > no x509 in openssh-3.1? > > maybe openssh (and putty) are successful enough that no one cares about > the commercial windows client. :)What do you mean? Does putty support X.509 host key certificates? Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
You may already be aware of this, but there is a variant of ssh (gsi-ssh) that is included with the Globus Toolkit. GSI (Grid Security Infrastructure) uses x509 certificates and thus gsi-ssh does. I would imagine that the Globus group would be interested in x509 support being added to OpenSSH. A jumping-off point for information about GSI (and Globus) would be: www.globus.org/toolkit/security.html On Fri Feb 8 04:59:21 2002, Markus Friedl wrote:> > who did try this? > no success stories? > no feedback? > no comments? > no x509 in openssh-3.1? > > On Thu, Jan 31, 2002 at 12:09:10PM +0100, Markus Friedl wrote: > > This (very quick) patch allows you to connect with the commercial > > ssh.com windows client and use x509 certs for hostkeys. You have > > to import your CA cert (ca.crt) in the windows client and certify > > your hostkey: > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Iain Morgan NAS Desktop Support Group
Iain Morgan writes:> You may already be aware of this, but there is a variant of ssh (gsi-ssh) > that is included with the Globus Toolkit. GSI (Grid Securityhttp://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/ I think they took over support of the openssh work. GSI & how it works might be rather different from whatever openssh has in mind for x509 support.
Well, I succesfully got the patched version working, but as it turns out, we don't have the "commercial" version of the SSH.COM software here at UD... and the free-for-non-commercial-use client doesn't support PKI. Maybe at some point I'll get time to implement the client bits in OpenSSH... but until then, I won't be able to test the X.509 hostkey patch. Ed On Thu, 31 Jan 2002, Markus Friedl wrote:> Date: Thu, 31 Jan 2002 12:09:10 +0100 > From: Markus Friedl <markus at openbsd.org> > To: openssh at openbsd.org, openssh-unix-dev at mindrot.org > Subject: x509 for hostkeys. > > This (very quick) patch allows you to connect with the commercial > ssh.com windows client and use x509 certs for hostkeys. You have > to import your CA cert (ca.crt) in the windows client and certify > your hostkey: > > $ cat << 'EOF' > x509v3.cnf > CERTPATHLEN = 1 > CERTUSAGE = digitalSignature,keyCertSign > CERTIP = 0.0.0.0 > [x509v3_CA] > basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN > keyUsage=$ENV::CERTUSAGE > [x509v3_IPAddr] > subjectAltName=IP:$ENV::CERTIP > [x509v3_DNSName] > subjectAltName=DNS:$ENV::CERTDNS > EOF > $ CERTDNS=myipaddr; export CERTDNS > $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr > $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \ > -CAkey ca.key -CAcreateserial \ > -extfile x509v3.cnf -extensions x509v3_DNSName \ > -out HOSTKEY.crt > $ umask 077 > $ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert > $ echo HostKey /etc/ssh_host_rsa_key+cert > sshd_config-test > $ sudo sshd -p 2222 -ddd -f sshd_config-test > > Index: authfile.c > ==================================================================> RCS file: /home/markus/cvs/ssh/authfile.c,v > retrieving revision 1.45 > diff -u -r1.45 authfile.c > --- authfile.c 29 Dec 2001 21:56:01 -0000 1.45 > +++ authfile.c 31 Jan 2002 10:50:53 -0000 > @@ -460,6 +460,24 @@ > error("PEM_read_PrivateKey: mismatch or " > "unknown EVP_PKEY save_type %d", pk->save_type); > } > + if (prv != NULL) { > + /* try to get a certificate if we have the private key */ > + prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase); > + if (prv->x509 != NULL) { > + debug("PEM_read_X509"); > +#ifdef DEBUG_X509 > + X509_print_fp(stdout, prv->x509); > + { > + EVP_PKEY *pkey = X509_get_pubkey(prv->x509); > + if (pkey->type == EVP_PKEY_RSA) { > + debug("PEM_read_X509 -> RSA"); > + } else if (pkey->type == EVP_PKEY_DSA) { > + debug("PEM_read_X509 -> DSA"); > + } > + } > +#endif > + } > + } > fclose(fp); > if (pk != NULL) > EVP_PKEY_free(pk); > Index: key.c > ==================================================================> RCS file: /home/markus/cvs/ssh/key.c,v > retrieving revision 1.39 > diff -u -r1.39 key.c > --- key.c 25 Jan 2002 22:07:40 -0000 1.39 > +++ key.c 31 Jan 2002 10:26:53 -0000 > @@ -53,10 +53,12 @@ > RSA *rsa; > DSA *dsa; > k = xmalloc(sizeof(*k)); > + memset(k, 0, sizeof(*k)); > k->type = type; > k->flags = 0; > k->dsa = NULL; > k->rsa = NULL; > + k->x509 = NULL; > switch (k->type) { > case KEY_RSA1: > case KEY_RSA: > @@ -141,6 +143,10 @@ > fatal("key_free: bad key type %d", k->type); > break; > } > + if (k->x509 != NULL) { > + X509_free(k->x509); > + k->x509 = NULL; > + } > xfree(k); > } > int > @@ -538,6 +544,8 @@ > { > switch (k->type) { > case KEY_RSA: > + if (k->x509) > + return "x509v3-sign-rsa"; > return "ssh-rsa"; > break; > case KEY_DSA: > @@ -641,6 +649,10 @@ > return KEY_RSA; > } else if (strcmp(name, "ssh-dss") == 0) { > return KEY_DSA; > + } else if (strcmp(name, "x509v3-sign-rsa") == 0) { > + return KEY_RSA; > + } else if (strcmp(name, "x509v3-sign-dss") == 0) { > + return KEY_DSA; > } > debug2("key_type_from_name: unknown key type '%s'", name); > return KEY_UNSPEC; > @@ -739,9 +751,16 @@ > buffer_put_bignum2(&b, key->dsa->pub_key); > break; > case KEY_RSA: > - buffer_put_cstring(&b, key_ssh_name(key)); > - buffer_put_bignum2(&b, key->rsa->e); > - buffer_put_bignum2(&b, key->rsa->n); > + if (key->x509) { > + /* XXX ssh.com does not accept a key name here */ > + len = i2d_X509(key->x509, NULL); > + buf = buffer_append_space(&b, len); > + i2d_X509(key->x509, &buf); > + } else { > + buffer_put_cstring(&b, key_ssh_name(key)); > + buffer_put_bignum2(&b, key->rsa->e); > + buffer_put_bignum2(&b, key->rsa->n); > + } > break; > default: > error("key_to_blob: unsupported key type %d", key->type); > Index: key.h > ==================================================================> RCS file: /home/markus/cvs/ssh/key.h,v > retrieving revision 1.17 > diff -u -r1.17 key.h > --- key.h 17 Sep 2001 19:27:15 -0000 1.17 > +++ key.h 30 Jan 2002 15:23:11 -0000 > @@ -28,6 +28,7 @@ > > #include <openssl/rsa.h> > #include <openssl/dsa.h> > +#include <openssl/x509.h> > > typedef struct Key Key; > enum types { > @@ -53,6 +54,7 @@ > int flags; > RSA *rsa; > DSA *dsa; > + X509 *x509; > }; > > Key *key_new(int); > Index: ssh-rsa.c > ==================================================================> RCS file: /home/markus/cvs/ssh/ssh-rsa.c,v > retrieving revision 1.15 > diff -u -r1.15 ssh-rsa.c > --- ssh-rsa.c 25 Jan 2002 21:42:11 -0000 1.15 > +++ ssh-rsa.c 31 Jan 2002 09:23:53 -0000 > @@ -91,7 +91,11 @@ > } > /* encode signature */ > buffer_init(&b); > +#if 0 > buffer_put_cstring(&b, "ssh-rsa"); > +#else > + buffer_put_cstring(&b, key_ssh_name(key)); > +#endif > buffer_put_string(&b, sig, slen); > len = buffer_len(&b); > ret = xmalloc(len); > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key