Secure Shell
help about "certificates" function of openssh 5.4 Apr 28 2010 02:39AM
yang wang (gooddaydiablo gmail com) (1 replies)
Dear,

Is there any detail manual about how to setup ssh user certificates? I
looked at all the man pages
for ssh-keygen, ssh and sshd, but still can't successfully setup user
certificates.

I write my steps below and would you please help me check whether I'm
wrong in anything? Much appreciated!

1) only use one machine. (Redhat RHEL 5, with OPENSSH 5.4)
# ssh-keygen -s /root/.ssh/id_rsa -I id_test -n root /root/.ssh/id_rsa.pub
then I get the certificate: /root/.ssh/id_rsa-cert.pub

2) edit /usr/local/etc/sshd_config with :
TrustedUserCAKeys /root/.ssh/id_rsa.pub

3) # ssh -i /root/.ssh/id_rsa-cert.pub localhost
( in my opinion if I use this certification I shall not get prompted
for password when
I ssh to localhost, however it always prompt me for the passphrase, I
get quite confused
because my id_ras don't have a passphrase at all! and I also tried to
use an identity
that has a passphrase, but it can't work too. I just don't know what
should be the
id_rsa-cert.pub's passphrase ? is there anything that I was wrong ?? )

I attached my ssh and sshd debug log for you reference.

Thanks a lot!
open-ssh fans

SSH log
----------------------------------------------
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa-cert.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa-cert-v00 (at) openssh (dot) com [email concealed] blen 1075
debug1: ssh_rsa_verify: signature correct
debug2: input_userauth_pk_ok: fp 0f:06:06:20:6e:3e:80:50:ee:16:23:fb:48:59:d5:21
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_rsa-cert.pub':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa-cert.pub':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa-cert.pub':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug2: bad passphrase given, try again...
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@localhost's password:

SSHD log
----------------------------------------------
debug3: monitor_read: checking request 10
debug3: mm_request_receive_expect entering: type 11
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for root from 127.0.0.1 port 35662 ssh2
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: ssh_rsa_verify: signature correct
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: ssh_rsa_verify: signature correct
debug3: mm_answer_keyallowed: key_from_blob: 0x8468690
debug3: found certificate constraint "permit-X11-forwarding" len 0
debug3: found certificate constraint "permit-agent-forwarding" len 0
debug3: found certificate constraint "permit-port-forwarding" len 0
debug3: found certificate constraint "permit-pty" len 0
debug3: found certificate constraint "permit-user-rc" len 0
Accepted certificate ID "id_test" signed by RSA CA
0f:06:06:20:6e:3e:80:50:ee:16:23:fb:48:59:d5:21 via
/root/.ssh/id_rsa.pub
debug3: mm_answer_keyallowed: key 0x8468690 is allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-v00 (at) openssh (dot) com [email concealed]
Postponed publickey for root from 127.0.0.1 port 35662 ssh2
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
debug1: userauth-request for user root service ssh-connection method password
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method password

[ reply ]
Re: help about "certificates" function of openssh 5.4 Apr 29 2010 09:14AM
Hans Harder (postbus111 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus