-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
been trying the x509 patch for ssh from Roumen, it works great.
However, I can't figure out couple of things, and been trying to solve
it for couple of days already.
I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g
with 6.1 version of your patch.
The serverside hostkey is configured correctly, to present x509v3-sign-rsa
dynowork / # ssh-keyscan pingo
# pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19
pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
Ltd,C=GB
Hoever, in the situation, when the clients that haven't been patched to
support x509, just could not connect giving the following error:
no hostkey alg
Is it possible to circumvent this apart from also specifying the dss
key, that non-patched clients would understand.
The second problem is with clients that are patched, but for one reason
or another there is no x509 store setup on the client.
They just give out the following error:
ssh_x509store_cb: subject='CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate
ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
certificate'
key_verify failed for server_host_key
Is it possible to have a situation when if there is no x509 store set up
on the client, it would simply revert to the password based authentication?
I have tried setting
PubkeyAlgorithms ssh-dss
PreferredAuthentications keyboard-interactive
but with no effect, same error appears.
I would appreciate your help.
- --
Respectfully,
Konstantin V. Gavrilenko
Arhont Ltd - Information Security
web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko at arhont.com
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHjiVNxwtGg+gYJPQRAniCAJ0aqw5Ia8Ti6+dGVWGL0KmbTPiAIwCfQeOa
G9Ql9I6oPOO9Hyx2N/PAVQc=LYji
-----END PGP SIGNATURE-----
Hi Konstantin, Please, find answers in quoted text. Konstantin V. Gavrilenko wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi guys, > > been trying the x509 patch for ssh from Roumen, it works great. > However, I can't figure out couple of things, and been trying to solve > it for couple of days already. > > I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g > with 6.1 version of your patch. > > The serverside hostkey is configured correctly, to present x509v3-sign-rsa > > dynowork / # ssh-keyscan pingo > # pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19 > pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont > Ltd,C=GB > > > Hoever, in the situation, when the clients that haven't been patched to > support x509, just could not connect giving the following error: > > no hostkey alg >Correct. In sshd_config(HostKey=...) you could list keys from appropriate type. Client with x509 support will dive same result if HostKeyAlgorithms is set to ssh-rsa,ssh-dss in ~/.ssh/config for that host.> Is it possible to circumvent this apart from also specifying the dss > key, that non-patched clients would understand. > > > The second problem is with clients that are patched, but for one reason > or another there is no x509 store setup on the client. >So in this case client could not create trusted certificate chain and verification will reject give certificate. That is part of PKI and you could test what is result with openssl verify ... without trusted certificates.> They just give out the following error: > > ssh_x509store_cb: subject='CN=pingo.dmz.arhont.com,OU=IT,O=Arhont > Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate > ssh_verify_cert: verify error, code=20, msg='unable to get local issuer > certificate' > key_verify failed for server_host_key > > > Is it possible to have a situation when if there is no x509 store set up > on the client, it would simply revert to the password based authentication? >In reported case client could not trust host key as result will reject to continue. But you could switch to rsa/dss host-keys (HostKeyAlgorithms ssh-rsa,ssh-dss) for that host and then to set order of authentication methods in PreferredAuthentications.> I have tried setting > PubkeyAlgorithms ssh-dss >The client will use only ssh-dss keys to authenticate to server. HostKeyAlgorithms is for accepted host-keys.> PreferredAuthentications keyboard-interactive >May be you should append "password" if you like to use password authentication if previous listed are rejected by server.> but with no effect, same error appears. >Sure if server don't offer ssh-dss host-key.> I would appreciate your help. > > - -- > Respectfully, > Konstantin V. Gavrilenko > > Arhont Ltd - Information Security > > web: http://www.arhont.com > http://www.wi-foo.com > e-mail: k.gavrilenko at arhont.com > > tel: +44 (0) 870 44 31337 > fax: +44 (0) 117 969 0141 > > PGP: Key ID - 0xE81824F4 > PGP: Server - keyserver.pgp.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHjiVNxwtGg+gYJPQRAniCAJ0aqw5Ia8Ti6+dGVWGL0KmbTPiAIwCfQeOa > G9Ql9I6oPOO9Hyx2N/PAVQc> =LYji > -----END PGP SIGNATURE----- > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/
Is the x598 support going to be embedded in mainstream? On Jan 19, 2008 10:50 PM, Roumen Petrov <openssh at roumenpetrov.info> wrote:> Konstantin V. Gavrilenko wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Roumen, > > > > one last thing, what exactly does MandatoryCRL option sets? > > > > Since when it is set to no, the ssh_crl.pem does get checked whether the > > cert is revoked or not. > > However, when I set it to yes, I get the following error > > [SNIP] > > > > Jan 17 14:46:12 pingo sshd[25026]: error: ssh_x509revoked_cb: unable to > > get issued CRL > > [SNIP] > > When MandatoryCRL is no, check for revoked only if CRL is found in X.509 store. > > > When MandatoryCRL option is set and certificate attribute "CRL Distribution Point" is set, > > corresponding CRL must exist in X.506 store. > > > Roumen > > -- > Get X.509 certificates support in OpenSSH: > http://roumenpetrov.info/openssh/ > > > _______________________________________________ > > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
BTW, why I can not open the following website again, http://roumenpetrov.info/openssh/ Is it changed? On Jan 23, 2008 4:16 AM, Ian jonhson <jonhson.ian at gmail.com> wrote:> Is the x598 support going to be embedded in mainstream? > > > > On Jan 19, 2008 10:50 PM, Roumen Petrov <openssh at roumenpetrov.info> wrote: > > Konstantin V. Gavrilenko wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Roumen, > > > > > > one last thing, what exactly does MandatoryCRL option sets? > > > > > > Since when it is set to no, the ssh_crl.pem does get checked whether the > > > cert is revoked or not. > > > However, when I set it to yes, I get the following error > > > [SNIP] > > > > > > Jan 17 14:46:12 pingo sshd[25026]: error: ssh_x509revoked_cb: unable to > > > get issued CRL > > > [SNIP] > > > > When MandatoryCRL is no, check for revoked only if CRL is found in X.509 store. > > > > > > When MandatoryCRL option is set and certificate attribute "CRL Distribution Point" is set, > > > > corresponding CRL must exist in X.506 store. > > > > > > Roumen > > > > -- > > Get X.509 certificates support in OpenSSH: > > http://roumenpetrov.info/openssh/ > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > >
Ian jonhson wrote:> BTW, why I can not open the following website again, > > http://roumenpetrov.info/openssh/ > > > Is it changed? >No. Site is online.> On Jan 23, 2008 4:16 AM, Ian jonhson <jonhson.ian at gmail.com> wrote: > >> Is the x598 support going to be embedded in mainstream? >> >> [SNIP] >>Roumen