Hi, I need to add X.509 Certificate support to OpenSSH. I came across the following post on the openssh-unix-dev mailing list that is very useful: http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 <http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2> And also, http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2 <http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2> that provides the required patches to dowload for OpenSSH to support X.509 certificates. I am using FC6 and have followed the steps mentioned in the above post, but I am unable to successfully complete the task :( Is there any step-by-step procedure that I could refer to to achieve the same? Thanks and Regards, Sankalp
sankalp_karpe wrote:> Hi, > > I need to add X.509 Certificate support to OpenSSH. > > I came across the following post on the openssh-unix-dev mailing list > that is very useful: > http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 > <http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2> > > And also, http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2 > <http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2> that > provides the required patches to dowload for OpenSSH to support X.509 > certificates. > > I am using FC6 and have followed the steps mentioned in the above post, > but I am unable to successfully complete the task :( > Is there any step-by-step procedure that I could refer to to achieve the > same? > > Thanks and Regards, > Sankalp >Please, could you clarify "successfully complete the task". RedHat OpenSSH sources are heavy patched and chance patch to be applied without problem is zero. References: - README.x509v3 for specified version http://roumenpetrov.info/openssh/download.html - http://roumenpetrov.info/domino_CA/ Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/
Hi Roumen, I discovered that the need of appending the .pub part of id_rsa(client key+cert) on the server can be eliminated by adding the Certificate Blob to authorized_keys which could look something like this: x509v3-sign-rsa subject= /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com This is extracted from the client certificate using openssl as described in the README file provided by you at http://roumenpetrov.info/openssh/x509h/README.x509v3 This system works fine, however my only concern is that I would like all Clients (possessing a valid Client-Certifcates signed by the CA) to be authenticated without having to place anything in the ~/.ssh/authorized_keys file on the server.(i.e authenticate all users if they have a valid certificate without any subject line checking). In Apache this is very much possible via mod_ssl as described in http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 . Can a similar behavior be emulated in OpenSSH using the X.509 patch? Please let me know your comments. Thanks and Best Regards, Sankalp
sankalp_karpe wrote:> Hi Roumen, > > I discovered that the need of appending the .pub part of id_rsa(client > key+cert) on the server can be eliminated by adding the Certificate Blob > to authorized_keys which could look something like this: > > x509v3-sign-rsa subject= > /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com > > This is extracted from the client certificate using openssl as described > in the README file provided by you at > http://roumenpetrov.info/openssh/x509h/README.x509v3 > > This system works fine, however my only concern is that I would like all > Clients (possessing a valid Client-Certifcates signed by the CA) to be > authenticated without having to place anything in the > ~/.ssh/authorized_keys file on the server.(i.e authenticate all users if > they have a valid certificate without any subject line checking). > > In Apache this is very much possible via mod_ssl as described in > http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 . > Can a similar behavior be emulated in OpenSSH using the X.509 patch? > > Please let me know your comments. > > Thanks and Best Regards, > Sankalphttp://roumenpetrov.info/openssh/#todo - to implement wildcards(patterns) for DN in "authorized keys" and "know hosts" files So above is similar to apache SSLRequire. Patches are welcome. Roumen
As I had mentioned previously that I building a system with OpenSSH + X.509 using the patch provided by Roumen, I have to have the subject lines in my authorized keys in order to authenticate clients based on the match of these subject lines. I wanted to authenticate all clients who were issued a client certificate by the CA whose CA certificate is present on the Server as I believe that this should be sufficient and would avoid the overhead of adding subject lines (to authorized_keys on the server) of each client certificate issued... Here is what I am considering... -----Original Message----- From: openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org [mailto:openssh-unix-dev-bounces+joviano_dias=persistent.co.in at mindrot.org] On Behalf Of Peter Stuge Sent: Sunday, March 16, 2008 11:46 PM To: OpenSSH Devel List Subject: Re: OpenSSH and X.509 Certificate Support On Sun, Mar 16, 2008 at 11:16:00PM +0530, joviano_dias at persistent.co.in wrote:> > Sure, if you like every client with valid certificate to login > > into every logon account on the server. > > i should be able to do that,but i cant quite figure out how to do that.....> any idea on this?...That should only need a small change to the patch. I see that I would have to modify ssh-x509.c, however I was just wondering if there were any configuration options available to achieve the same. Switching between authenticating the client using "client cert subject lines" and "without any selective authentication (no subject lines in authorized_keys)" in authorized_keys on the server would be really good for me. Anyone ever did this before, or any suggestions on the same? //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev