Re: OpenSSH and X.509 Certificate Support

sankalp_karpe wrote:
> Hi Roumen,
>
> Thanks for your comments.
> The issues reported by me were not X.509 specific. Sorry about that.
>
> So now I have SSH Server & Client, both patched with X.509 and I can
> successfully connect to the Server using X.509 Certificates.
>
> I have several Linux clients some of which are patched with x.509 patch.
>
> Is it possible for those linux machines (not patched with x.509) to
> log-in to the server with username/password since they do not support
> x.509 certificates (by doing some configuration changes on the Server)?
> I have tried to log-in from a ssh client (without X.509 patch) to a
> ssh server (with X.509 patch), but the server refuses connection with
> the following error on the console:
>
> "no hostkey alg"
>
> My goal, is to make the OpenSSH Server (with X.509 patch) compatible
> with all SSH Clients irrespective of whether the client is patched
> with X.509 or not.
> Would there be any workaround?
>
> Your help would be highly appreciated.
> Thanking you in anticipation.
>
> Thanks and Best Regards,
> Sankalp
>
> Roumen Petrov wrote:
>
>> sankalp_karpe wrote:
>> [SNIP]

You could list in sshd_config all supported key types:
$ grep ^HostKey /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/SAVE/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key


Also you could check key-types supported by server:
$ ssh-keyscan localhost
# localhost SSH-2.0-OpenSSH_4.7
localhost x509v3-sign-rsa Subject:C=XX,...
# localhost SSH-2.0-OpenSSH_4.7
localhost x509v3-sign-dss Subject:C=XX,...
# localhost SSH-2.0-OpenSSH_4.7
localhost ssh-rsa AAAAB3Nza....
# localhost SSH-2.0-OpenSSH_4.7
no hostkey alg


Command ssh-keyscan (see man page) scan for protocol version 2 keys by
default.

Roumen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev