X.509-SSH: Difference between revisions

This howto assumes you have a flavour of LINUX running on your machine!

SERVER (mainly intended for sysadmins and operators!)

INSTALLATION

• Download openssh sourcecode:

• Download patch to support X.509 certificates for authenticaton:

• additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

• On Ubuntu 8.04 LTS use:

• On Ubuntu 10.04 LTS use:

• On SLES10:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"

• Extract openssh:

• Change into the new directory and apply the downloaded patch:

• Configure and make:

CONFIGURATION

CLIENT (mainly intended for users)

INSTALLATION

• Download openssh sourcecode:

• Download patch to support X.509 certificates for authenticaton from:

• additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

• On Ubuntu 8.04 LTS use:

• On Ubuntu 10.04 LTS use:

• On SLES10:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"

• Extract openssh:

• Change into the new directory and apply the downloaded patch:

• Configure and make:

• Pick the following binaries:

CONFIGURATION

• Export a PKCS#12 keystore with your grid certificate and private key from your browser.

• Export your certificate from the PKCS#12 keystore:

• Make sure the private key file is only accessible by you:

• Export private key from keystore:

• Create identity (file):

USAGE

• Log in to a remote system with X.509 SSH:

PROBLEMS

• If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":

Some common problems

• Symptom(s):
  • login impossible
  • messages in the full log of the authentication similar to the following messages:

[...]
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug3: x509key_from_subject: 1 is not x509 key
debug3: key_from_blob(..., 279)
[...]
debug1: Next authentication method: publickey
debug1: Offering public key: x509_identity
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1509
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

• Problem:

You have created a public key from the X.509 ssh private key using an unpatched "ssh-keygen".

• Possible solution:

You don't need to have a public key ready for accessing our systems. The public key is created automatically by your client during authentication. Therefore you can just delete this file (usually named like "x509_identity.pub").

• Symptom(s):
  • login impossible
  • messages in the full log of the authentication similar to the following messages:

[...]
debug1: Next authentication method: publickey
debug1: Trying private key: $HOME/.ssh/x509_identity
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

• Problem:

If "$HOME" wasn't provided by the user as anonymous alternative to his home directory (in order to not disclose his local account's name), it is very likely, that he has provided this in his "ssh_config" file using the "IdentityFile" keyword.

• Possible Solution:

According to the corresponding manual page (ssh_config(5)) shell variables are not evaluated (except "~") inside of the "ssh_config" file. Hence the "ssh" binary cannot find the identity file and therefore "[...]did not send a packet[...]", leading to an impossible login. Please only use the notations supposed in the "ssh_config" manpage shipped with your "ssh" binary.

SEE ALSO

Readme for X.509 SSH v6.2.1