- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -
X.509-SSH: Difference between revisions
Line 17: | Line 17: | ||
* additional prerequisites: | * additional prerequisites: | ||
"libc6" development packages, "zlib" development packages, "patch" binary | |||
* On Ubuntu 8.04 LTS use: | |||
{{Command | command = | {{Command | command = | ||
$ sudo apt-get update | $ sudo apt-get update | ||
Line 25: | Line 25: | ||
}} | }} | ||
* On Ubuntu 10.04 LTS use: | |||
{{Command | command = | {{Command | command = | ||
$ sudo apt-get update | $ sudo apt-get update |
Revision as of 12:33, 6 September 2010
This howto assumes you have a flavour of LINUX running on your machine!
SERVER (mainly intended for sysadmins and operators!)
INSTALLATION
- Download openssh sourcecode:
- Download patch to support X.509 certificates for authenticaton:
- additional prerequisites:
"libc6" development packages, "zlib" development packages, "patch" binary
- On Ubuntu 8.04 LTS use:
- On Ubuntu 10.04 LTS use:
- On SLES10:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"
- Extract openssh:
- Change into the new directory and apply the downloaded patch:
- Configure and make:
CONFIGURATION
CLIENT (mainly intended for users)
INSTALLATION
- Download openssh sourcecode:
- Download patch to support X.509 certificates for authenticaton from:
- additional prerequisites:
"libc6" development packages, "zlib" development packages, "patch" binary
- On Ubuntu 8.04 LTS use:
- On Ubuntu 10.04 LTS use:
- On SLES10:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"
- Extract openssh:
- Change into the new directory and apply the downloaded patch:
- Configure and make:
- Pick the following binaries:
CONFIGURATION
- Export a PKCS#12 keystore with your grid certificate and private key from your browser.
- Export your certificate from the PKCS#12 keystore:
- Make sure the private key file is only accessible by you:
- Export private key from keystore:
- Create identity (file):
USAGE
- Log in to a remote system with X.509 SSH:
PROBLEMS
- If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
Some common problems
- Symptom(s):
- login impossible
- messages in the full log of the authentication similar to the following messages:
[...] debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug3: x509key_from_subject: 1 is not x509 key debug3: key_from_blob(..., 279) [...] debug1: Next authentication method: publickey debug1: Offering public key: x509_identity debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1509 debug1: Authentications that can continue: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey).
- Problem:
You have created a public key from the X.509 ssh private key using an unpatched "ssh-keygen".
- Possible solution:
You don't need to have a public key ready for accessing our systems. The public key is created automatically by your client during authentication. Therefore you can just delete this file (usually named like "x509_identity.pub").
- Symptom(s):
- login impossible
- messages in the full log of the authentication similar to the following messages:
[...] debug1: Next authentication method: publickey debug1: Trying private key: $HOME/.ssh/x509_identity debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey).
- Problem:
If "$HOME" wasn't provided by the user as anonymous alternative to his home directory (in order to not disclose his local account's name), it is very likely, that he has provided this in his "ssh_config" file using the "IdentityFile" keyword.
- Possible Solution:
According to the corresponding manual page (ssh_config(5)) shell variables are not evaluated (except "~") inside of the "ssh_config" file. Hence the "ssh" binary cannot find the identity file and therefore "[...]did not send a packet[...]", leading to an impossible login. Please only use the notations supposed in the "ssh_config" manpage shipped with your "ssh" binary.