Hi,

You can use "old format". i.e. to append OpenSSH "pub file" to user
authorized_keys.
Please see ssh-keygen(1).



yjchui wrote:

>Hi:
>
>
>
> I am trying to use certificate with openssh for user and server authentication according to the guideline of http://roumenpetrov.info/.
>
>
>
> Fist, both the server and client use self-signed certificate generated by openssh. In this case, openSSH works fine with the certificate authenctication.
>
>
>
> Second, the server and client apply for a certificate (in DER format) signed by our company, which contain UTF8 coding (i.e. it contains Chinese). I convert the certificate in DER format to the one in PEM format with the command:
>
>openssl x509 –in server.der –inform DER -out server.pem –outform PEM
>
>
>
> Then, I extract the DN of the server certificate with the command:
>
>IPSEC:~/.ssh# openssl x509 -noout -subject -in server-root.pem
>
>subject= /C=TW/O=\xE4\xB8\xAD\xE8\x8F\xAF\xE9\x9B\xBB\xE4\xBF\xA1 \xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\x E5\x85\xAC\xE5\x8F\xB8/CN=yjchu-server
>
>
>
> At this time, I add the above result to the file "/usr/local/etc/ssh_known_hosts" on the client side.
>
>
>
> However, when the client connects to the remote ssh server and performs server authentication, the following error message appears:
>
>-----------------------------------------------------------------------------------
>
>yjchu@Friday:~/.ssh$ ssh -v 10.144.166.135
>
>OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
>
>debug1: Reading configuration data /usr/local/etc/ssh_config
>
>…..
>
>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>
>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>
>x509key_str2X509NAME: X509_NAME_add_entry_by_NID fail with errormsg='error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long' for nid=17/organizationName and data='\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xB B\\xE4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE 6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8 F\\xB8'
>
>key_read: uudecode Subject:/C=TW/O=\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xBB\\x E4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE6\\x 9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\x B8/CN=yjchu-server
>
> failed
>
>No RSA+cert host key is known for 10.144.166.135 and you have requested strict checking.
>
>Host key verification failed.
>
>------------------------------------------------------------------------------------------
>
>
>
>Does anybody know how to solve the problem?
>
>
>
>
>Regards
>
>Yann-Ju Chu
>
>



--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/