- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

X.509-SSH: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
Line 126: Line 126:


* Export a PKCS#12 keystore with your grid certificate and private key from your browser.
* Export a PKCS#12 keystore with your grid certificate and private key from your browser.
 
{{Note | text =
''NOTICE:''
This usually includes to set a password for the PKCS#12 keystore  (referred to as the <KEYSTORE_PASSWD>).
 
}}
''This usually includes to set a password for the PKCS#12 keystore  (referred to as the <KEYSTORE_PASSWD>).''


* Export your certificate from the PKCS#12 keystore:
* Export your certificate from the PKCS#12 keystore:
 
{{Command | command =
<pre>
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem
</pre>
}}


''NOTICE:''
{{Note | text =
 
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.
''One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.''
}}


* Make sure the private key file is only accessible by you:
* Make sure the private key file is only accessible by you:
 
{{Command | command =
<pre>
$ umask 0077
$ umask 0077
</pre>
}}


* Export private key from keystore:
* Export private key from keystore:
 
{{Command | command =
<pre>
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem
</pre>
}}


''NOTICE:''
{{Note | text =
 
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.
''One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.''
Additionally one has to provide a password for the exported private key (two times).
''Additionally one has to provide a password for the exported private key (two times).''
}}


* Create identity (file):
* Create identity (file):
 
{{Command | command =
<pre>
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity
</pre>
}}


<!--
<!--
* Create the public key for X.509 SSH access:
* Create the public key for X.509 SSH access:
 
{{Command | command =
<pre>
$ ssh-keygen -y -f $HOME/.ssh/x509_identity > $HOME/.ssh/x509_identity.pub
$ ssh-keygen -y -f $HOME/.ssh/x509_identity > $HOME/.ssh/x509_identity.pub
</pre>
}}
 
''NOTICE:''


''One has to enter the password for the key once.''
{{Note | text =
One has to enter the password for the key once.
}}
-->
-->
----
----

Revision as of 07:20, 28 April 2010

This howto assumes you have a flavour of LINUX running on your machine!

SERVER (mainly intended for sysadmins and operators!)

INSTALLATION

  • Download openssh sourcecode:


  • Download patch to support X.509 certificates for authenticaton:


  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu 8.04 LTS use:
$ sudo apt-get update $ sudo apt-get install libc6-dev zlib1g-dev patch


  • On SLES10:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


  • Extract openssh:
$ tar -xzf openssh-5.3p1.tar.gz


  • Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1 openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz


  • Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.


openssh-5.3p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log] openssh-5.3p1/$ [time] make [2>&1 | tee make.log] openssh-5.3p1/$ [sudo] make install



CONFIGURATION


CLIENT (mainly intended for users)

INSTALLATION

  • Download openssh sourcecode:


  • Download patch to support X.509 certificates for authenticaton from:


  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu 8.04 LTS use:
$ sudo apt-get update $ sudo apt-get install libc6-dev zlib1g-dev patch


  • On SLES10:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


  • Extract openssh:
$ tar -xzf openssh-5.3p1.tar.gz


  • Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1 openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz


  • Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.


openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log] openssh-5.3p1/$ [time] make [2>&1 | tee make.log]


  • Take the following binaries:
openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh] openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]


Note: Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created binaries directly.



CONFIGURATION


  • Export a PKCS#12 keystore with your grid certificate and private key from your browser.
Note: This usually includes to set a password for the PKCS#12 keystore (referred to as the <KEYSTORE_PASSWD>).


  • Export your certificate from the PKCS#12 keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem


Note: One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.


  • Make sure the private key file is only accessible by you:
$ umask 0077


  • Export private key from keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem


Note: One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export. Additionally one has to provide a password for the exported private key (two times).


  • Create identity (file):
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity



USAGE

  • Log in to a remote system with X.509 SSH:
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>

NOTICE:

For "laki" <PORT> is "443" and <SERVER> is "cl3fr1.hww.de". For "SX-9" <PORT> is "443" and <SERVER> is "yari.hww.de".


PROBLEMS

  • If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
$ ssh -vvv -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER> [&> full_auth.log]

Some common problems

  • Symptom(s):
    • login impossible
    • messages in the full log of the authentication similar to the following messages:
[...]
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug3: x509key_from_subject: 1 is not x509 key
debug3: key_from_blob(..., 279)
[...]
debug1: Next authentication method: publickey
debug1: Offering public key: x509_identity
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1509
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
  • Problem:

You have created a public key out of the X.509 ssh private key using an unpatched "ssh-keygen".

  • Possible solution:

You don't need to have a public key ready for accessing our systems. The public key is created automatically by your client during authentication. Therefore you can just delete this file (usually named like "x509_identity.pub").



SEE ALSO

Readme for X.509 SSH v6.2.1