| View previous topic :: View next topic |
| Author |
Message |
brianakee
Tux's lil' helper
Joined: 16 Aug 2002
Posts: 78
|
 Posted: Fri Jun 04, 2004 8:08 pm Post subject: OpenSSH Certificate Based Authentication |
 |
|
Does anyone have any experience setting OpenSSH Certificate based authentication.
Any information regarding this would be appreciated.
Thank You,
TM |
|
| Back to top |
|
 |
Houdini
Apprentice
Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
|
| Posted: Fri Jun 04, 2004 8:19 pm Post subject: |
|
|
Certificate based, or public-key based? I know lots about the latter, and wasn't aware of the former.
_________________
^]:wq |
|
| Back to top |
|
|
brianakee
Tux's lil' helper
Joined: 16 Aug 2002
Posts: 78
|
| Posted: Fri Jun 04, 2004 8:21 pm Post subject: |
|
|
Let me rephrase:
Does anyone have any experience setting OpenSSH X509 based authentication.
As per the man page this is possible.
Thank You,
TM |
|
| Back to top |
|
|
Houdini
Apprentice
Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
|
| Posted: Fri Jun 04, 2004 8:49 pm Post subject: |
|
|
Ah.
Sorry, I've got nothing.
_________________
^]:wq |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Fri Jun 04, 2004 11:25 pm Post subject: |
|
|
Which man page? The string "509" does not appear in of my man pages for ssh, sshd, sshd_config, or ssh_config.
Google came up with some references to patches for OpenSSH to support PKI (x.509) certificates but AFAIK these are not part of the distribution. Google searches for X.509 and x509 on the openssh.org site also draw blanks except for an expired draft mentioning optional x.509 functionality.
Are you perhaps referring to OpenSSL?
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
brianakee
Tux's lil' helper
Joined: 16 Aug 2002
Posts: 78
|
| Posted: Sat Jun 05, 2004 3:31 am Post subject: |
|
|
man sshd
| Quote: | SSH protocol version 2
Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
used to identify the host. It is possible host key to contain key plus
X.509 certificate. However, when the daemon starts, it does not generate
a server key. Forward security is provided through a Diffie-Hellman key
agreement. This key agreement results in a shared session key. |
ssh -V
| Quote: | | OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 |
This is about I that I have been able to find on the subject.
TM |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Sat Jun 05, 2004 6:03 am Post subject: |
|
|
Curious. From my copy of the man page: | Quote: | SSH protocol version 2
Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
used to identify the host. However, when the daemon starts, it does not
generate a server key. Forward security is provided through a Diffie-
Hellman key agreement. This key agreement results in a shared session
key. |
for this version: | Code: | $ ssh -V
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 |
My man page matches the distribution file for OpenSSH (both 3.8 and 3.7.1p2).
I know of no way to directly use X.509 certificates with OpenSSH. You can extract the public key from a certificate using: | Code: | openssl x509 -in ./certs/nortelCA.pem -pubkey
-----BEGIN PUBLIC KEY-----
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nq
OmzEnk291d1XqznDeF4wEgakbkCczTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn
0wGC+AI00F2vYTGqPGRQL1N3lZT0YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIM
pNkka8PY9lxHZAmWwQIBAw==
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
-----END CERTIFICATE-----
|
but this won't necessarily be of use to you.
There are third party patches that might be of use:
http://roumenpetrov.info/openssh/
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
brianakee
Tux's lil' helper
Joined: 16 Aug 2002
Posts: 78
|
| Posted: Sat Jun 05, 2004 10:50 pm Post subject: |
|
|
I wonder if this is what changes are made by adding x509 to USE variable.
In any case, I will have to investigate further.
Thanks for the information regarding openssl. I am sure that it will come in handy.
TM |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Sun Jun 06, 2004 12:35 am Post subject: |
|
|
The patch applied by the x509 USE flag is the patch I linked to. Perhaps there's something at that site that would give a clue as to how to use it.
http://www.roumenpetrov.info/openssh/x509h/README.x509v3
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
brianakee
Tux's lil' helper
Joined: 16 Aug 2002
Posts: 78
|
| Posted: Sun Jun 06, 2004 12:49 am Post subject: |
|
|
I will look again. I was all over that site. Though there is some very good information there, the information does not seem to be very helpful, especially to someone who is not very versed in the ways of openssl.
Interstingly enough, I have been trying to put together some information regarding the use of openssl (x509). Using this with OpenSSH seemed like a very practical use for my testing. In any case, I will keep at it.
If I get it working, or find more information about OpenSSH with x509 I will definitley post it here.
Thank You,
TM |
|
| Back to top |
|
|
eunuque
n00b
Joined: 19 Aug 2003
Posts: 62
|
|
| Back to top |
|
|
Julz
n00b
Joined: 05 Oct 2005
Posts: 25
|
| Posted: Thu Feb 09, 2006 1:25 pm Post subject: |
|
|
I can't either but if someone has more information I'll be very interested.
I try to authenticate the server with a host certificate and a custom CA. I run ssh with -vvv and everything looks fine up to there :
| Code: | debug3: x509key_from_blob: We have 1107 bytes available in BIO
debug3: x509_to_key: X509_get_pubkey done!
debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 0 for host 192.168.1.61
debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 1 for host 192.168.1.61
debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts2
[...]
debug2: no key of type 4 for host 192.168.1.61
|
Why is it looking for the key in a known_hosts file when it is supposed to check the certificate ?
It results in :
| Code: | The authenticity of host '192.168.1.61 (192.168.1.61)' can't be established.
RSA+cert key fingerprint is da:94:b2:ec:fe:c4:f1:ee:5e:c7:42:f5:ef:f5:c5:c5.
Distinguished name is [...]
Are you sure you want to continue connecting (yes/no)?
|
|
|
| Back to top |
|
|
eunuque
n00b
Joined: 19 Aug 2003
Posts: 62
|
| Posted: Tue Mar 07, 2006 6:52 pm Post subject: |
|
|
You first have to say yes to accept the key, then another check is done on the certificate.
If it is not valid, then the connection will stop.
BTW I've just wrote a HOWTO:
https://forums.gentoo.org/viewtopic-t-441064.html |
|
| Back to top |
|
|
Julz
n00b
Joined: 05 Oct 2005
Posts: 25
|
| Posted: Wed Mar 08, 2006 9:19 am Post subject: |
|
|
| eunuque wrote: | You first have to say yes to accept the key, then another check is done on the certificate.
If it is not valid, then the connection will stop. |
Thanks for the answer, it's been working that way for me for some time now. It is also possible to automatically put unknown hosts in the known_hosts file, in which case X509 has to be the only authentication mechanism. |
|
| Back to top |
|
|
|
Networking & Security
