Hi All, Please pardon me if it is the wrong list to ask how-to etc. I am having an issue with the Signed SSH keys. I am being asked for the passphrase for my signed public key, even though I don't have any. I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. 1) I have ca server with ca user keys (ca-user-key.pub) 2) I created user ssh rsa keys (user-id-org and user-id-org.pub). 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated "signed-user-id-org.pub". 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com) and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in /etc/ssh/sshd_config. 5) I am trying to get into "dest1.domain.com" using the " user-id-org " as well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed- user-id-org.pub user1@ dest1.domain.com ] However, I am being asked for the passphrase for signed-user-id-org.pub which I don't have. Below is the output the I pasted from the terminal. [root at lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub user1@ dest1.domain.com Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': Permission denied (publickey,gssapi-keyex,gssapi-with-mic). But, If I change the ssh key names to id_rsa, id_rsa.pub and id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I can do SSH with out any issues and without any prompting. I am confused here and I don't understand why I have to use only the id-rsa as opposed to any name that I am pointing using the file path. Failed scenarios: 1. I tried giving the options using -o i.e (ssh -o 'IdentityFile /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub' root at test.domain.com). ? command-line: line 0: Bad configuration option: certificatefile 2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config ? same problem, it says Bad configuration option: certificatefile 3. Tried renaming the files to test_id_rsa and test_id_rsa.pub and test_id_rsa-cert.pub. ? Asking for the passphrase of the signed cert. Successful Scenarios: 1. When I rename all the keys to the default named id_rsa, id_rsa.pub and id_rsa-cert.pub. ? No issues, I could ssh into the servers using either private key or signed key. [assuming the file names are being automatically taken from a switch case in the code base.] What Should I do? - Can anyone suggest me how to get around this issue. I want to use my own naming convention and my custom location to the keys? Any help is appreciated and Thanks in advance. NK.
You do not use the Public key file as an identity file. Just the private key. Do not use the .pub file with -i. -----Original Message----- From: openssh-unix-dev <openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org> On Behalf Of Naren K Sent: Tuesday, April 10, 2018 10:36 AM To: openssh-unix-dev at mindrot.org Subject: Signed SSH key issue with OpenSSH6.4p1 Hi All, Please pardon me if it is the wrong list to ask how-to etc. I am having an issue with the Signed SSH keys. I am being asked for the passphrase for my signed public key, even though I don't have any. I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. 1) I have ca server with ca user keys (ca-user-key.pub) 2) I created user ssh rsa keys (user-id-org and user-id-org.pub). 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated "signed-user-id-org.pub". 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com) and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in /etc/ssh/sshd_config. 5) I am trying to get into "dest1.domain.com" using the " user-id-org " as well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed- user-id-org.pub user1@ dest1.domain.com ] However, I am being asked for the passphrase for signed-user-id-org.pub which I don't have. Below is the output the I pasted from the terminal. [root at lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub user1@ dest1.domain.com Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': Permission denied (publickey,gssapi-keyex,gssapi-with-mic). But, If I change the ssh key names to id_rsa, id_rsa.pub and id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I can do SSH with out any issues and without any prompting. I am confused here and I don't understand why I have to use only the id-rsa as opposed to any name that I am pointing using the file path. Failed scenarios: 1. I tried giving the options using -o i.e (ssh -o 'IdentityFile /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub' root at test.domain.com). ? command-line: line 0: Bad configuration option: certificatefile 2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config ? same problem, it says Bad configuration option: certificatefile 3. Tried renaming the files to test_id_rsa and test_id_rsa.pub and test_id_rsa-cert.pub. ? Asking for the passphrase of the signed cert. Successful Scenarios: 1. When I rename all the keys to the default named id_rsa, id_rsa.pub and id_rsa-cert.pub. ? No issues, I could ssh into the servers using either private key or signed key. [assuming the file names are being automatically taken from a switch case in the code base.] What Should I do? - Can anyone suggest me how to get around this issue. I want to use my own naming convention and my custom location to the keys? Any help is appreciated and Thanks in advance. NK. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Yeah. But how does ssh server knows that it is a signed key. I understand with regular keys. But the problem is with the signed keys. On Tue, Apr 10, 2018 at 1:19 PM Scott Neugroschl <scott_n at xypro.com> wrote:> You do not use the Public key file as an identity file. Just the private > key. Do not use the .pub file with -i. > > > -----Original Message----- > From: openssh-unix-dev <openssh-unix-dev-bounces+scott_n> xypro.com at mindrot.org> On Behalf Of Naren K > Sent: Tuesday, April 10, 2018 10:36 AM > To: openssh-unix-dev at mindrot.org > Subject: Signed SSH key issue with OpenSSH6.4p1 > > Hi All, > > Please pardon me if it is the wrong list to ask how-to etc. > > I am having an issue with the Signed SSH keys. I am being asked for the > passphrase for my signed public key, even though I don't have any. > > I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. > > 1) I have ca server with ca user keys (ca-user-key.pub) > 2) I created user ssh rsa keys (user-id-org and user-id-org.pub). > 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated > "signed-user-id-org.pub". > 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com) > and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in > /etc/ssh/sshd_config. > > 5) I am trying to get into "dest1.domain.com" using the " user-id-org " > as well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed- > user-id-org.pub user1@ dest1.domain.com ] > > However, I am being asked for the passphrase for signed-user-id-org.pub > which I don't have. Below is the output the I pasted from the terminal. > > [root at lab-linux1 .ssh]# ssh -i user-id-org -i signed-user-id-org.pub > user1@ dest1.domain.com Enter passphrase for key '/root/.ssh/ > signed-user-id-org .pub': > Enter passphrase for key '/root/.ssh/ signed-user-id-org .pub': > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > But, If I change the ssh key names to id_rsa, id_rsa.pub and > id_rsa-cert.pub with simple using either " id_rsa " or " id_rsa-cert", I > can do SSH with out any issues and without any prompting. I am confused > here and I don't understand why I have to use only the id-rsa as opposed to > any name that I am pointing using the file path. > > Failed scenarios: > > 1. I tried giving the options using -o i.e (ssh -o 'IdentityFile > /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub' > root at test.domain.com). > > ? command-line: line 0: Bad configuration option: certificatefile > > > > 2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config > > ? same problem, it says Bad configuration option: certificatefile > > > > 3. Tried renaming the files to test_id_rsa and test_id_rsa.pub and > test_id_rsa-cert.pub. > > ? Asking for the passphrase of the signed cert. > > Successful Scenarios: > > 1. When I rename all the keys to the default named id_rsa, id_rsa.pub > and id_rsa-cert.pub. > > ? No issues, I could ssh into the servers using either private key > or signed key. [assuming the file names are being automatically taken from > a switch case in the code base.] > > What Should I do? > > - Can anyone suggest me how to get around this issue. I want to use my > own naming convention and my custom location to the keys? > > > Any help is appreciated and Thanks in advance. > > NK. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Tue, 2018-04-10 at 12:35 -0500, Naren K wrote:> > What Should I do? > > - Can anyone suggest me how to get around this issue. I want to > use my > own naming convention and my custom location to the keys?Update to newer version that supports CertificateFile option. Version 6.4 was released almost 5 years ago and even in latest CentOS we provide more up-to-date version than this one. It is very irresponsible to use such old version without any security updates. Or use the "default" naming conventions if you do not care about security. There was no way around that so this was the reason why this option was introduced. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Slightly OT question - is there a way to make ssh-agent work with keys in a PKCS#11 module and a certificate? I can make the ssh client work (add the key to agent and the default cert gets used by default), but the cert can?t be added to ssh-agent ? Jan> On 11 Apr 2018, at 09:40, Jakub Jelen <jjelen at redhat.com> wrote: > > On Tue, 2018-04-10 at 12:35 -0500, Naren K wrote: >> >> What Should I do? >> >> - Can anyone suggest me how to get around this issue. I want to >> use my >> own naming convention and my custom location to the keys? > > Update to newer version that supports CertificateFile option. Version > 6.4 was released almost 5 years ago and even in latest CentOS we > provide more up-to-date version than this one. It is very irresponsible > to use such old version without any security updates. > > Or use the "default" naming conventions if you do not care about > security. There was no way around that so this was the reason why this > option was introduced. > > Regards, > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev