Re: x509 patch for SSH

Hi Konstantin,

Please, find answers in quoted text.


Konstantin V. Gavrilenko wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi guys,
>
> been trying the x509 patch for ssh from Roumen, it works great.
> However, I can't figure out couple of things, and been trying to solve
> it for couple of days already.
>
> I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g
> with 6.1 version of your patch.
>
> The serverside hostkey is configured correctly, to present x509v3-sign-rsa
>
> dynowork / # ssh-keyscan pingo
> # pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19
> pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
> Ltd,C=GB
>
>
> Hoever, in the situation, when the clients that haven't been patched to
> support x509, just could not connect giving the following error:
>
> no hostkey alg
>
Correct.
In sshd_config(HostKey=...) you could list keys from appropriate type.
Client with x509 support will dive same result if HostKeyAlgorithms is
set to ssh-rsa,ssh-dss in ~/.ssh/config for that host.


> Is it possible to circumvent this apart from also specifying the dss
> key, that non-patched clients would understand.
>
>
> The second problem is with clients that are patched, but for one reason
> or another there is no x509 store setup on the client.
>
So in this case client could not create trusted certificate chain and
verification will reject give certificate.
That is part of PKI and you could test what is result with openssl
verify ... without trusted certificates.


> They just give out the following error:
>
> ssh_x509store_cb: subject='CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
> Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate
> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
> certificate'
> key_verify failed for server_host_key
>
>
> Is it possible to have a situation when if there is no x509 store set up
> on the client, it would simply revert to the password based authentication?
>
In reported case client could not trust host key as result will reject
to continue.
But you could switch to rsa/dss host-keys (HostKeyAlgorithms
ssh-rsa,ssh-dss) for that host and then to set order of authentication
methods in PreferredAuthentications.


> I have tried setting
> PubkeyAlgorithms ssh-dss
>
The client will use only ssh-dss keys to authenticate to server.
HostKeyAlgorithms is for accepted host-keys.


> PreferredAuthentications keyboard-interactive
>
May be you should append "password" if you like to use password
authentication if previous listed are rejected by server.


> but with no effect, same error appears.
>
Sure if server don't offer ssh-dss host-key.


> I would appreciate your help.
>
> - --
> Respectfully,
> Konstantin V. Gavrilenko
>
> Arhont Ltd - Information Security
>
> web: http://www.arhont.com
> http://www.wi-foo.com
> e-mail: k.gavrilenko@arhont.com
>
> tel: +44 (0) 870 44 31337
> fax: +44 (0) 117 969 0141
>
> PGP: Key ID - 0xE81824F4
> PGP: Server - keyserver.pgp.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHjiVNxwtGg+gYJPQRAniCAJ0aqw5Ia8Ti6+dGVWGL0K mbTPiAIwCfQeOa
> G9Ql9I6oPOO9Hyx2N/PAVQc=
> =LYji
> -----END PGP SIGNATURE-----
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/li...enssh-unix-dev
>
>

Roumen

--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev