- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -
X.509-SSH: Difference between revisions
From HLRS Platforms
Jump to navigationJump to search
| Line 64: | Line 64: | ||
* Download openssh sourcecode: | * Download openssh sourcecode: | ||
{{Command | command = | |||
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz | $ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz | ||
}} | |||
* Download patch to support X.509 certificates for authenticaton from: | * Download patch to support X.509 certificates for authenticaton from: | ||
{{Command | command = | |||
$ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz | $ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz | ||
}} | |||
* additional prerequisites: | * additional prerequisites: | ||
"libc6" development packages, "zlib" development packages, "patch" binary | "libc6" development packages, "zlib" development packages, "patch" binary | ||
* On Ubuntu 8.04 LTS use: | * On Ubuntu 8.04 LTS use: | ||
{{Command | command = | |||
$ sudo apt-get update | $ sudo apt-get update | ||
$ sudo apt-get install libc6-dev zlib1g-dev patch | $ sudo apt-get install libc6-dev zlib1g-dev patch | ||
}} | |||
* On SLES10 | * On SLES10: | ||
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]" | |||
* Extract openssh: | * Extract openssh: | ||
{{Command | command = | |||
$ tar -xzf openssh-5.3p1.tar.gz | $ tar -xzf openssh-5.3p1.tar.gz | ||
}} | |||
* Change into the new directory and apply the downloaded patch: | * Change into the new directory and apply the downloaded patch: | ||
{{Command | command = | |||
$ cd openssh-5.3p1 | $ cd openssh-5.3p1 | ||
openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1 | openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1 | ||
}} | |||
* Configure and make: | * Configure and make: | ||
{{Note | text = | |||
Commands enclosed in "[...]" are optional! See manpages for details. | |||
}} | |||
{{Command | command = | |||
<nowiki>openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log] | |||
< | |||
openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log] | |||
openssh-5.3p1/$ [time] make [2>&1 | tee make.log] | openssh-5.3p1/$ [time] make [2>&1 | tee make.log] | ||
</ | </nowiki> | ||
}} | |||
* Take the following binaries: | * Take the following binaries: | ||
{{Command | command = | |||
openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh] | openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh] | ||
openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen] | openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen] | ||
}} | |||
{{Note | text = | |||
Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created | |||
binaries directly. | |||
}} | |||
---- | ---- | ||
Revision as of 07:17, 28 April 2010
This howto assumes you have a flavour of LINUX running on your machine!
SERVER (mainly intended for sysadmins and operators!)
INSTALLATION
- Download openssh sourcecode:
- Download patch to support X.509 certificates for authenticaton:
- additional prerequisites:
"libc6" development packages, "zlib" development packages, "patch" binary
- On Ubuntu 8.04 LTS use:
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
- On SLES10:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"
- Extract openssh:
$ tar -xzf openssh-5.3p1.tar.gz
- Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1
openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz
- Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.
openssh-5.3p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log]
openssh-5.3p1/$ [time] make [2>&1 | tee make.log]
openssh-5.3p1/$ [sudo] make install
CONFIGURATION
CLIENT (mainly intended for users)
INSTALLATION
- Download openssh sourcecode:
- Download patch to support X.509 certificates for authenticaton from:
- additional prerequisites:
"libc6" development packages, "zlib" development packages, "patch" binary
- On Ubuntu 8.04 LTS use:
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
- On SLES10:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"
- Extract openssh:
$ tar -xzf openssh-5.3p1.tar.gz
- Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1
openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz
- Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.
openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log]
openssh-5.3p1/$ [time] make [2>&1 | tee make.log]
- Take the following binaries:
openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh]
openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]
Note: Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created
binaries directly.
CONFIGURATION
- Export a PKCS#12 keystore with your grid certificate and private key from your browser.
NOTICE:
This usually includes to set a password for the PKCS#12 keystore (referred to as the <KEYSTORE_PASSWD>).
- Export your certificate from the PKCS#12 keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem
NOTICE:
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.
- Make sure the private key file is only accessible by you:
$ umask 0077
- Export private key from keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem
NOTICE:
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export. Additionally one has to provide a password for the exported private key (two times).
- Create identity (file):
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity
USAGE
- Log in to a remote system with X.509 SSH:
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>
NOTICE:
For "laki" <PORT> is "443" and <SERVER> is "cl3fr1.hww.de". For "SX-9" <PORT> is "443" and <SERVER> is "yari.hww.de".
PROBLEMS
- If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
$ ssh -vvv -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER> [&> full_auth.log]
Some common problems
- Symptom(s):
- login impossible
- messages in the full log of the authentication similar to the following messages:
[...] debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug3: x509key_from_subject: 1 is not x509 key debug3: key_from_blob(..., 279) [...] debug1: Next authentication method: publickey debug1: Offering public key: x509_identity debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1509 debug1: Authentications that can continue: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey).
- Problem:
You have created a public key out of the X.509 ssh private key using an unpatched "ssh-keygen".
- Possible solution:
You don't need to have a public key ready for accessing our systems. The public key is created automatically by your client during authentication. Therefore you can just delete this file (usually named like "x509_identity.pub").