OpenSSH with X509 problem - SSH

This is a discussion on OpenSSH with X509 problem - SSH ; Hi, I'm trying to get OpenSSH to work with Roumen Petrov's X509 patch. The client doesn't check the server's host certificate against the CA certificate and I can't figure out why. Any help will be greatly appreciated. Some selected output ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: OpenSSH with X509 problem

  1. OpenSSH with X509 problem

    Hi,

    I'm trying to get OpenSSH to work with Roumen Petrov's X509 patch. The
    client doesn't check the server's host certificate against the CA
    certificate and I can't figure out why.
    Any help will be greatly appreciated.

    Some selected output :

    # ssh -vv 192.168.1.61
    OpenSSH_4.2p1-hpn, OpenSSL 0.9.7e 25 Oct 2004
    [...]
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss
    [...]
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: x509v3-sign-rsa
    [...]
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 140/256
    debug2: bits set: 494/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug2: no key of type 0 for host 192.168.1.61
    debug2: no key of type 1 for host 192.168.1.61
    debug2: no key of type 2 for host 192.168.1.61
    debug2: no key of type 4 for host 192.168.1.61
    The authenticity of host '192.168.1.61 (192.168.1.61)' can't be established.
    RSA+cert key fingerprint is da:94:b2:ec:fe:c4:f1:ee:5e:c7:42:f5:ef:f5:c5:c5.
    Distinguished name is /C=FR/ST=Some-State/L=Paris/O=ACME Corp/OU=ACME
    Web Publishing/CN=admin@web.acme.com/emailAddress=security@web.acme.com.
    Are you sure you want to continue connecting (yes/no)? no
    Host key verification failed.

    From the server's log :

    sshd[2964]: Connection from 192.168.1.67 port 33359
    sshd[2964]: debug1: Client protocol version 2.0; client software version
    OpenSSH_4.2p1-hpn
    sshd[2964]: debug1: match: OpenSSH_4.2p1-hpn pat OpenSSH*
    sshd[2964]: debug1: Enabling compatibility mode for protocol 2.0
    sshd[2964]: debug1: Local version string SSH-2.0-OpenSSH_4.2
    [...]
    sshd[2964]: debug3: mm_answer_sign
    sshd[2964]: debug3: ssh_x509_sign: key_type=RSA+cert,
    key_ssh_name=x509v3-sign-rsa
    sshd[2964]: debug3: ssh_x509_sign: alg=x509v3-sign-rsa, md=rsa-md5
    sshd[2964]: debug3: ssh_x509_sign: signame=x509v3-sign-rsa
    sshd[2964]: debug3: ssh_x509_sign: return 0


  2. Re: OpenSSH with X509 problem

    > Host key verification failed.

    The cleint will show reason on debug level3: ssh -vvv
    I suppose that CA certificates aren't in "x.509 store" on client host -
    check for error message '... self-signed ...'


  3. Re: OpenSSH with X509 problem

    Roumen Petrov wrote:
    > The cleint will show reason on debug level3: ssh -vvv
    > I suppose that CA certificates aren't in "x.509 store" on client host -
    > check for error message '... self-signed ...'


    It looks like the CA certificate is loaded. There are four copies of it
    (the two ca-bundle.crt and two others in the hash dirs) :

    debug2: hash dir '~/.ssh/crt' added to x509 store
    debug2: file '~/.ssh/ca-bundle.crt' added to x509 store
    debug2: hash dir '~/.ssh/crl' added to x509 revocation store
    debug2: hash dir '/etc/ssh/ca/crt' added to x509 store
    debug2: file '/etc/ssh/ca/ca-bundle.crt' added to x509 store
    debug2: hash dir '/etc/ssh/ca/crl' added to x509 revocation store

    This is the end of the output vith -vvv :

    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: key_from_blob(..., 1011)
    debug3: x509key_from_blob: We have 1011 bytes available in BIO
    debug3: x509_to_key: X509_get_pubkey done!
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
    debug2: no key of type 0 for host 192.168.1.61
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts2
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
    debug2: no key of type 1 for host 192.168.1.61
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts2
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
    debug2: no key of type 2 for host 192.168.1.61
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts2
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
    debug3: check_host_in_hostfile: filename /home/jdemoor/.ssh/known_hosts
    debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
    debug2: no key of type 4 for host 192.168.1.61
    The authenticity of host '192.168.1.61 (192.168.1.61)' can't be established.
    RSA+cert key fingerprint is a9:f3:3d:cc:55:e1:1a:38:6d:1a:de:55:93:01:b9:0a.
    Distinguished name is /C=FR/ST=Some-State/O=ACME/CN=192.168.1.61.
    Are you sure you want to continue connecting (yes/no)? no
    Host key verification failed.

  4. Re: OpenSSH with X509 problem

    Sorry, I miss out you answer:
    Are you sure you want to continue connecting (yes/no)? no

    To connect to a host openssh client require "host-key" to exist in user
    or system-wide known_hosts file.
    Since you answer "no" host-key isn't added to user known_hosts file and
    client terminate session.


  5. Re: OpenSSH with X509 problem

    Roumen Petrov wrote:
    > Sorry, I miss out you answer:
    > Are you sure you want to continue connecting (yes/no)? no
    >
    > To connect to a host openssh client require "host-key" to exist in user
    > or system-wide known_hosts file.


    I expected the patch to avoid that necessity, but I finally found the
    option that makes ssh automatically create the entry (I also disable the
    methods for server authentication that don't include a certificate).
    That's because I need a way to add/remove servers in a centralized
    manner (using a local CA), without need to edit the known_hosts files
    and without asking the users.

  6. Re: OpenSSH with X509 problem

    You can put host-key in GlobalKnownHostsFile.
    Recent "ssh-keygen -R hostname [-f known_hosts_file]" can help to
    remove entries.


+ Reply to Thread