- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

X.509-SSH: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
No edit summary
 
(46 intermediate revisions by 4 users not shown)
Line 7: Line 7:
* Download openssh sourcecode:
* Download openssh sourcecode:
{{Command | command =  
{{Command | command =  
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
}}
}}


* Download patch to support X.509 certificates for authenticaton:
* Download patch to support X.509 certificates for authenticaton:
{{Command | command =  
{{Command | command =  
$ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz
$ wget -c https://roumenpetrov.info/openssh/x509-11.3.2/openssh-7.7p1+x509-11.3.2.diff.gz
}}
}}


Line 19: Line 19:
"libc6" development packages, "zlib" development packages, "patch" binary
"libc6" development packages, "zlib" development packages, "patch" binary


* On Ubuntu 8.04 LTS use:
* On Ubuntu use:
{{Command | command =
{{Command | command =
$ sudo apt-get update
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
$ sudo apt-get install libc6-dev zlib1g-dev patch libssl-dev
}}
}}


* On SLES10 use:
* On SLES:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


Line 31: Line 31:
* Extract openssh:
* Extract openssh:
{{Command | command =  
{{Command | command =  
$ tar -xzf  openssh-5.3p1.tar.gz
$ tar -xzf  openssh-7.7p1.tar.gz
}}
}}


* Change into the new directory and apply the downloaded patch:
* Change into the new directory and apply the downloaded patch:
{{Command | command =
{{Command | command = <nowiki>$ cd openssh-7.7p1
$ cd openssh-5.3p1
openssh-7.7p1/$ zcat <PATH_TO_PATCH>openssh-7.7p1+x509-11.3.2.diff.gz | patch -p 1
openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1
</nowiki>
}}
}}


* Configure and make:
* Configure and make:
{{Note|text =
{{Note|text =
Commands enclosed in "[...]" are optional! See manpages for details.
Commands enclosed in "[...]" are optional! See manpages for details.
}}
}}


{{Command | command = <nowiki>
{{Command | command = <nowiki>openssh-7.7p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log]
openssh-5.3p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log]
openssh-7.7p1/$ [time] make [2>&1 | tee make.log]
openssh-5.3p1/$ [time] make [2>&1 | tee make.log]
openssh-7.7p1/$ [sudo] make install
openssh-5.3p1/$ [sudo] make install
</nowiki>
</nowiki>
}}
}}
Line 64: Line 62:


* Download openssh sourcecode:
* Download openssh sourcecode:
 
{{Command | command =
<pre>
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz
}}
</pre>


* Download patch to support X.509 certificates for authenticaton from:
* Download patch to support X.509 certificates for authenticaton from:
 
{{Command | command =
<pre>
$ wget -c http://www.roumenpetrov.info/openssh/x509-11.3.2/openssh-7.7p1+x509-11.3.2.diff.gz
$ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz
}}
</pre>


* additional prerequisites:
* additional prerequisites:
"libc6" development packages, "zlib" development packages, "patch" binary
"libc6" development packages, "zlib" development packages, "patch" binary


* On Ubuntu 8.04 LTS use:
* On Ubuntu use:
 
{{Command | command =
<pre>
$ sudo apt-get update
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
$ sudo apt-get install libc6-dev zlib1g-dev patch libssl-dev
</pre>
}}


* On SLES10 use:
* On SLES:
install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


* Extract openssh:
* Extract openssh:
 
{{Command | command =
<pre>
$ tar -xzf openssh-7.7p1.tar.gz
$ tar -xzf openssh-5.3p1.tar.gz
}}
</pre>


* Change into the new directory and apply the downloaded patch:
* Change into the new directory and apply the downloaded patch:
 
{{Command | command =
<pre>
<nowiki>$ cd openssh-7.7p1
$ cd openssh-5.3p1
openssh-7.7p1/$ zcat <PATH_TO_PATCH>openssh-7.7p1+x509-11.3.2.diff.gz | patch -p 1
 
</nowiki>
openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1
}}
</pre>


* Configure and make:
* Configure and make:
{{Note | text =
Commands enclosed in "[...]" are optional! See manpages for details.
}}


''NOTICE:''
{{Command | command =
<nowiki>openssh-7.7p1/$ [time] ./configure [2>&1 | tee configure.log]
openssh-7.7p1/$ [time] make [2>&1 | tee make.log]
</nowiki>
}}


''Commands enclosed in "[...]" are optional! See manpages for details.''
* Pick the following binaries:
{{Command | command =
openssh-7.7p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh]
openssh-7.7p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]
}}


<pre>
{{Note | text =
openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log]
Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created
 
binaries directly.
openssh-5.3p1/$ [time] make [2>&1 | tee make.log]
}}
</pre>
 
* Take the following binaries:
 
<pre>
openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh]
openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]
</pre>
 
''NOTICE:''
 
''Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created''
''binaries directly.''


----
----
Line 135: Line 125:


* Export a PKCS#12 keystore with your grid certificate and private key from your browser.
* Export a PKCS#12 keystore with your grid certificate and private key from your browser.
 
{{Note | text =
''NOTICE:''
This usually includes to set a password for the PKCS#12 keystore  (referred to as the <KEYSTORE_PASSWD>).
 
}}
''This usually includes to set a password for the PKCS#12 keystore  (referred to as the <KEYSTORE_PASSWD>).''


* Export your certificate from the PKCS#12 keystore:
* Export your certificate from the PKCS#12 keystore:
 
{{Command | command =
<pre>
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem
</pre>
}}


''NOTICE:''
{{Note | text =
 
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.
''One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.''
}}


* Make sure the private key file is only accessible by you:
* Make sure the private key file is only accessible by you:
 
{{Command | command =
<pre>
$ umask 0077
$ umask 0077
</pre>
}}


* Export private key from keystore:
* Export private key from keystore:
 
{{Command | command =
<pre>
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem
</pre>
}}


''NOTICE:''
{{Note | text =
 
One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.
''One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.''
Additionally one has to provide a password for the exported private key (two times).
''Additionally one has to provide a password for the exported private key (two times).''
}}


* Create identity (file):
* Create identity (file):
 
{{Command | command =
<pre>
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity
</pre>
}}


<!--
<!--
* Create the public key for X.509 SSH access:
* Create the public key for X.509 SSH access:
 
{{Command | command =
<pre>
$ ssh-keygen -y -f $HOME/.ssh/x509_identity > $HOME/.ssh/x509_identity.pub
$ ssh-keygen -y -f $HOME/.ssh/x509_identity > $HOME/.ssh/x509_identity.pub
</pre>
}}


''NOTICE:''
{{Note | text =
 
One has to enter the password for the key once.
''One has to enter the password for the key once.''
}}
-->
-->
----
----
==Creating an x509_authorized_keys file==
If you want to login to HLRS systems, using X.509-SSH, you need your account being prepared for this.
We need you to sent in your username and a authorized_keys-file created from your certificate as follows:
{{Command | command =
$ Distinguished_Name=`openssl x509 -noout -subject -in usercert.pem -nameopt RFC2253`
$ KeyType="x509v3-sign-rsa" or "x509v3-sign-dss"
}}
Which KeyType-value you need depends on your file "id_x509.pub"
{{Command | command =
$  echo $KeyType $Distinguished_Name > x509_authorized_keys
}}


==USAGE==
==USAGE==


* Log in to a remote system with X.509 SSH:
* Log in to a remote system with X.509 SSH:
 
{{Command | command =
<pre>
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>
</pre>
}}


''NOTICE:''
{{Note | text =
For "Laki" <tt><PORT></tt> is "443" and <tt><SERVER></tt> is "cl3fr1.hww.de".


''For "laki" <PORT> is "443" and <SERVER> is "cl3fr1.hww.de".''
For "HAZELHEN" <tt><PORT></tt> is "443" and <tt><SERVER></tt> is "hazelhen.hww.de".
''For "SX-9" <PORT> is "443" and <SERVER> is "yari.hww.de".''
}}


----
----
Line 204: Line 202:


* If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
* If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
 
{{Command | command =
<pre>
$ ssh -vvv -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER> [&> full_auth.log]
$ ssh -vvv -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER> [&> full_auth.log]
</pre>
}}


==Some common problems==
==Some common problems==
Line 214: Line 211:
** login impossible
** login impossible
** messages in the full log of the authentication similar to the following messages:
** messages in the full log of the authentication similar to the following messages:
 
{{File | filename = full_auth.log | content =
<pre>
<pre>
[...]
[...]
Line 232: Line 229:
Permission denied (publickey).
Permission denied (publickey).
</pre>
</pre>
 
}}
* Problem:
* Problem:
You have created a public key out of the X.509 ssh private key using an unpatched "ssh-keygen".
You have created a public key from the X.509 ssh private key using an unpatched "ssh-keygen".


* Possible solution:
* Possible solution:
Line 242: Line 239:




----
* Symptom(s):
** login impossible
** messages in the full log of the authentication similar to the following messages:
{{File | filename = full_auth.log | content =
<pre>
[...]
debug1: Next authentication method: publickey
debug1: Trying private key: $HOME/.ssh/x509_identity
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
</pre>
}}
* Problem:
If "$HOME" wasn't provided by the user as anonymous alternative to his home directory (in order to not disclose his
local account's name), it is very likely, that he has provided this in his "ssh_config" file using the "IdentityFile"
keyword.
* Possible Solution:
According to the corresponding manual page (ssh_config(5)) shell variables are not evaluated (except "~") inside of the
"ssh_config" file. Hence the "ssh" binary cannot find the identity file and therefore "[...]did not send a packet[...]",
leading to an impossible login. Please only use the notations supposed in the "ssh_config" manpage shipped with your "ssh"
binary.
----
----


==SEE ALSO==
==SEE ALSO==


[http://www.roumenpetrov.info/openssh/x509-6.2.1/README.x509v3 Readme for X.509 SSH v6.2.1 ]
[http://www.roumenpetrov.info/openssh/x509-11.3.2/README.x509v3 Readme for X.509 SSH v11.3.2 ]

Latest revision as of 10:40, 29 June 2018

This howto assumes you have a flavour of LINUX running on your machine!

SERVER (mainly intended for sysadmins and operators!)

INSTALLATION

  • Download openssh sourcecode:


  • Download patch to support X.509 certificates for authenticaton:


  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu use:
$ sudo apt-get update $ sudo apt-get install libc6-dev zlib1g-dev patch libssl-dev


  • On SLES:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


  • Extract openssh:
$ tar -xzf openssh-7.7p1.tar.gz


  • Change into the new directory and apply the downloaded patch:
$ cd openssh-7.7p1 openssh-7.7p1/$ zcat <PATH_TO_PATCH>openssh-7.7p1+x509-11.3.2.diff.gz | patch -p 1


  • Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.


openssh-7.7p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log] openssh-7.7p1/$ [time] make [2>&1 | tee make.log] openssh-7.7p1/$ [sudo] make install



CONFIGURATION


CLIENT (mainly intended for users)

INSTALLATION

  • Download openssh sourcecode:


  • Download patch to support X.509 certificates for authenticaton from:


  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu use:
$ sudo apt-get update $ sudo apt-get install libc6-dev zlib1g-dev patch libssl-dev


  • On SLES:

install "zlib-devel[-32bit]" and "openssl-devel[-32bit]"


  • Extract openssh:
$ tar -xzf openssh-7.7p1.tar.gz


  • Change into the new directory and apply the downloaded patch:
$ cd openssh-7.7p1 openssh-7.7p1/$ zcat <PATH_TO_PATCH>openssh-7.7p1+x509-11.3.2.diff.gz | patch -p 1


  • Configure and make:
Note: Commands enclosed in "[...]" are optional! See manpages for details.


openssh-7.7p1/$ [time] ./configure [2>&1 | tee configure.log] openssh-7.7p1/$ [time] make [2>&1 | tee make.log]


  • Pick the following binaries:
openssh-7.7p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh] openssh-7.7p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]


Note: Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created binaries directly.



CONFIGURATION


  • Export a PKCS#12 keystore with your grid certificate and private key from your browser.
Note: This usually includes to set a password for the PKCS#12 keystore (referred to as the <KEYSTORE_PASSWD>).


  • Export your certificate from the PKCS#12 keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem


Note: One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.


  • Make sure the private key file is only accessible by you:
$ umask 0077


  • Export private key from keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem


Note: One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export. Additionally one has to provide a password for the exported private key (two times).


  • Create identity (file):
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity



Creating an x509_authorized_keys file

If you want to login to HLRS systems, using X.509-SSH, you need your account being prepared for this. We need you to sent in your username and a authorized_keys-file created from your certificate as follows:

$ Distinguished_Name=`openssl x509 -noout -subject -in usercert.pem -nameopt RFC2253` $ KeyType="x509v3-sign-rsa" or "x509v3-sign-dss"

Which KeyType-value you need depends on your file "id_x509.pub"

$ echo $KeyType $Distinguished_Name > x509_authorized_keys


USAGE

  • Log in to a remote system with X.509 SSH:
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>


Note: For "Laki" <PORT> is "443" and <SERVER> is "cl3fr1.hww.de". For "HAZELHEN" <PORT> is "443" and <SERVER> is "hazelhen.hww.de".



PROBLEMS

  • If there are problems that prevent you from login, please provide us with a full log of the authentication using the switch "-vvv":
$ ssh -vvv -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER> [&> full_auth.log]


Some common problems

  • Symptom(s):
    • login impossible
    • messages in the full log of the authentication similar to the following messages:
File: full_auth.log
[...]
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug3: x509key_from_subject: 1 is not x509 key
debug3: key_from_blob(..., 279)
[...]
debug1: Next authentication method: publickey
debug1: Offering public key: x509_identity
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1509
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
  • Problem:

You have created a public key from the X.509 ssh private key using an unpatched "ssh-keygen".

  • Possible solution:

You don't need to have a public key ready for accessing our systems. The public key is created automatically by your client during authentication. Therefore you can just delete this file (usually named like "x509_identity.pub").



  • Symptom(s):
    • login impossible
    • messages in the full log of the authentication similar to the following messages:
File: full_auth.log
[...]
debug1: Next authentication method: publickey
debug1: Trying private key: $HOME/.ssh/x509_identity
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


  • Problem:

If "$HOME" wasn't provided by the user as anonymous alternative to his home directory (in order to not disclose his local account's name), it is very likely, that he has provided this in his "ssh_config" file using the "IdentityFile" keyword.

  • Possible Solution:

According to the corresponding manual page (ssh_config(5)) shell variables are not evaluated (except "~") inside of the "ssh_config" file. Hence the "ssh" binary cannot find the identity file and therefore "[...]did not send a packet[...]", leading to an impossible login. Please only use the notations supposed in the "ssh_config" manpage shipped with your "ssh" binary.


SEE ALSO

Readme for X.509 SSH v11.3.2