- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

X.509-SSH

From HLRS Platforms
Jump to navigationJump to search

This howto assumes you have a flavour of LINUX running on your machine!

SERVER (mainly intended for sysadmins and operators!)

INSTALLATION

  • Download openssh sourcecode:
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz
  • Download patch to support X.509 certificates for authenticaton:
$ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz
  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu 8.04 LTS use:
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
  • Extract openssh:
$ tar -xzf  openssh-5.3p1.tar.gz
  • Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1

openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1
  • Configure and make:

NOTICE:

Commands enclosed in "[...]" are optional! See manpages for details.

openssh-5.3p1/$ [time] ./configure --prefix=<INSTALLATION-DIR> [2>&1 | tee configure.log]

openssh-5.3p1/$ [time] make [2>&1 | tee make.log]

openssh-5.3p1/$ [sudo] make install

CONFIGURATION


CLIENT (mainly intended for users)

INSTALLATION

  • Download openssh sourcecode:
$ wget -c ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz
  • Download patch to support X.509 certificates for authenticaton from:
$ wget -c http://www.roumenpetrov.info/openssh/x509-6.2.1/openssh-5.3p1+x509-6.2.1.diff.gz
  • additional prerequisites:

"libc6" development packages, "zlib" development packages, "patch" binary

  • On Ubuntu 8.04 LTS use:
$ sudo apt-get update
$ sudo apt-get install libc6-dev zlib1g-dev patch
  • Extract openssh:
$ tar -xzf openssh-5.3p1.tar.gz
  • Change into the new directory and apply the downloaded patch:
$ cd openssh-5.3p1

openssh-5.3p1/$ zcat <PATH_TO_PATCH>openssh-5.3p1+x509-6.2.1.diff.gz | patch -p 1
  • Configure and make:

NOTICE:

Commands enclosed in "[...]" are optional! See manpages for details.

openssh-5.3p1/$ [time] ./configure [2>&1 | tee configure.log]

openssh-5.3p1/$ [time] make [2>&1 | tee make.log]
  • Take the following binaries:
openssh-5.3p1/$ cp ./ssh $HOME/bin [&& strip $HOME/bin/ssh]
openssh-5.3p1/$ cp ./ssh-keygen $HOME/bin [&& strip $HOME/bin/ssh-keygen]

NOTICE:

Make sure that "$HOME/bin" is at the beginning of "$PATH" or call the created binaries directly.


CONFIGURATION


  • Export a PKCS#12 keystore with your grid certificate and private key from your browser.

NOTICE:

This usually includes to set a password for the PKCS#12 keystore (referred to as the <KEYSTORE_PASSWD>).

  • Export your certificate from the PKCS#12 keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -clcerts -nokeys -out $HOME/.ssh/certificate.pem

NOTICE:

One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export.

  • Make sure the private key file is only accessible by you:
$ umask 0077
  • Export private key from keystore:
$ openssl pkcs12 -in <PKCS12_KEYSTORE> -nocerts -out $HOME/.ssh/key.pem

NOTICE:

One has to enter the <KEYSTORE_PASSWD> once to unlock the PKCS#12 keystore for the export. Additionally one has to provide a password for the exported private key (two times).

  • Create identity (file):
$ cat key.pem certificate.pem > $HOME/.ssh/x509_identity

USAGE

  • Log in to a remote system with X.509 SSH:
$ ssh -i $HOME/.ssh/x509_identity -l <YOUR_LOGIN_NAME> -p <PORT> <SERVER>

NOTICE:

For "laki" <PORT> is "443" and <SERVER> is "cl3fr1.hww.de". For "SX-9" <PORT> is "443" and <SERVER> is "yari.hww.de".


SEE ALSO

Readme for X.509 SSH v6.2.1