Secure Shell
openssh/x.509/pkcs11 Aug 20 2010 11:41PM
Shravan Mishra (shravan mishra gmail com) (1 replies)
Hi Guys,

I'm using sun's hardware token sca6000 to act as keystore and I'm trying to
use openssh with x509 such that client authentication fetches the
certificates/keys from the hardware token.
System Info:

OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
2.6.29.6-0.6.smp.gcc4.1.x86_64 #1 SMP

I have applied Roumen Petrov's x509 patch - openssh-5.3p1+x509-6.2.2.diff
and Alon's pkcs11 patch openssh-5.2pkcs11-0.26.tar.bz2 (also openssh-5.3).

I'm following http://www.roumenpetrov.info/openssh/x509-6.2.2/README.x509v3to
configure my client and server.

On the server:
===========

cat ~/.ssh/authorized_keys
=====
x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root

====

/usr/sbin/sshd -ddd
========
debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 301
debug2: parse_server_config: config /usr/local/etc/sshd_config len 301
debug3: /usr/local/etc/sshd_config:21 setting Protocol 2
debug3: /usr/local/etc/sshd_config:46 setting RSAAuthentication yes
debug3: /usr/local/etc/sshd_config:47 setting PubkeyAuthentication yes
debug3: /usr/local/etc/sshd_config:113 setting Subsystem sftp
/usr/libexec/openssh/sftp-server
debug3: /usr/local/etc/sshd_config:122 setting AllowedCertPurpose sslclient
debug3: /usr/local/etc/sshd_config:127 setting X509KeyAlgorithm
x509v3-sign-rsa,rsa-sha1
debug2: hash dir '/usr/local/etc/ca/crt' added to x509 store
debug2: file '/usr/local/etc/ca/ca-bundle.crt' added to x509 store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 6 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 301
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 3, 3
Connection from 172.30.0.144 port 47460
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 31066
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 784 bytes for a total of 805
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 280 bytes for a total of 1085
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 1044/2048
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1034/2048
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 0x6a0450(271)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 848 bytes for a total of 1933
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 48 bytes for a total of 1981
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 172.30.0.144.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 301
debug3: auth_shadow_acctexpired: today 14841 sp_expire -1 days left -14842
debug3: account expiration disabled
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for root from 172.30.0.144 port 47460 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
debug3: Wrote 80 bytes for a total of 2061
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f7e0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f7e0 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2141
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f680
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f680 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2221
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
debug3: Wrote 80 bytes for a total of 2301

======

On the client:
==========
ssh -vv -# /usr/lib64/opencryptoki/PKCS11_API.so:1:0:1 root (at) 172.30.0 (dot) 104 [email concealed]
OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: PKCS#11: Adding PKCS#11 provider
'/usr/lib64/opencryptoki/PKCS11_API.so'
debug2: PKCS#11: Adding provider
'/usr/lib64/opencryptoki/PKCS11_API.so'-'/usr/lib64/opencryptoki/PKCS11_
API.so'
debug2: PKCS#11: Provider '/usr/lib64/opencryptoki/PKCS11_API.so' added
rv=0-'CKR_OK'
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.30.0.104 [172.30.0.104] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug2: PKCS#11: Creating a new session
debug2: PKCS#11: Get certificate attributes failed:
179:'CKR_SESSION_HANDLE_INVALID'
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Using cached session
debug2: PKCS#11: Using cached session
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 6 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc (at) lysator.liu (dot) se [email concealed]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed]
,hmac-ripemd160,hmac-ripemd160 (at) openssh (dot) com [email concealed],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 995/2048
debug2: bits set: 1034/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.30.0.104' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 1044/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=c709.e-lab.itactics.comon
trustwave-ks (0x6813a0)
debug2: key: /C=US/O=Trustwave/OU=dev/CN=root on trustwave-ks (0x67f220)
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=
c709.e-lab.itactics.com on trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /C=US/O=Trustwave/OU=dev/CN=root on
trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root (at) 172.30.0 (dot) 104 [email concealed]'s password:

==========

I don't understand the reason for key mismatch if the same keys are being
sent by the client as they are in the authorized_keys file on the server.

Any help will be appreciated.

Thanks
Shravan
Hi Guys,<br><br>I'm using sun's hardware token sca6000 to act as keystore and I'm trying to use openssh with x509 such that client authentication fetches the certificates/keys from the hardware token.<br>System Info:<br>
<br>OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009<br>2.6.29.6-0.6.smp.gcc4.1.x86_64 #1 SMP <br><br><br>I have applied Roumen Petrov's x509 patch - openssh-5.3p1+x509-6.2.2.diff<br>and Alon's pkcs11 patch openssh-5.2pkcs11-0.26.tar.bz2  (also openssh-5.3).<br>
<br><br>I'm following <a href="http://www.roumenpetrov.info/openssh/x509-6.2.2/README.x509v3">htt
p://www.roumenpetrov.info/openssh/x509-6.2.2/README.x509v3</a> to configure my client and server.<br><br><br>On the server:<br>
===========<br><br>cat ~/.ssh/authorized_keys<br>=====<br>x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root<br><br>====<br><br>/usr/sbin/sshd -ddd <br>========<br>debug2: load_server_config: filename /usr/local/etc/sshd_config<br>
debug2: load_server_config: done config len = 301<br>debug2: parse_server_config: config /usr/local/etc/sshd_config len 301<br>debug3: /usr/local/etc/sshd_config:21 setting Protocol 2<br>debug3: /usr/local/etc/sshd_config:46 setting RSAAuthentication yes<br>
debug3: /usr/local/etc/sshd_config:47 setting PubkeyAuthentication yes<br>debug3: /usr/local/etc/sshd_config:113 setting Subsystem sftp /usr/libexec/openssh/sftp-server<br>debug3: /usr/local/etc/sshd_config:122 setting AllowedCertPurpose sslclient<br>
debug3: /usr/local/etc/sshd_config:127 setting X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1<br>debug2: hash dir '/usr/local/etc/ca/crt' added to x509 store<br>debug2: file '/usr/local/etc/ca/ca-bundle.crt' added to x509 store<br>
debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store<br>debug1: ssh_set_validator: ignore responder url<br>debug1: sshd version OpenSSH_5.3p1<br>debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.<br>
debug1: read PEM private key begin<br>debug1: read X.509 certificate begin<br>debug3: x509key_load_cert: PEM_read_X509 fail error:0906D06C:lib(9):func(109):reason(108)<br>debug1: read PEM private key done: type RSA<br>debug1: private host key: #0 type 1 RSA<br>
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.<br>debug1: read PEM private key begin<br>debug1: read X.509 certificate begin<br>debug3: x509key_load_cert: PEM_read_X509 fail error:0906D06C:lib(9):func(109):reason(108)<br>
debug1: read PEM private key done: type DSA<br>debug1: private host key: #1 type 2 DSA<br>debug1: rexec_argv[0]='/usr/sbin/sshd'<br>debug1: rexec_argv[1]='-ddd'<br>debug2: fd 4 setting O_NONBLOCK<br>debug1: Bind to port 22 on ::.<br>
Server listening on :: port 22.<br>debug2: fd 5 setting O_NONBLOCK<br>debug1: Bind to port 22 on 0.0.0.0.<br>Server listening on 0.0.0.0 port 22.<br>debug3: fd 6 is not O_NONBLOCK<br>debug1: Server will not fork when running in debugging mode.<br>
debug3: send_rexec_state: entering fd = 9 config len 301<br>debug3: ssh_msg_send: type 0<br>debug3: send_rexec_state: done<br>debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9<br>debug1: inetd sockets after dupping: 3, 3<br>
Connection from 172.30.0.144 port 47460<br>debug1: Client protocol version 2.0; client software version OpenSSH_5.3<br>debug1: match: OpenSSH_5.3 pat OpenSSH*<br>debug1: Enabling compatibility mode for protocol 2.0<br>debug1: Local version string SSH-2.0-OpenSSH_5.3<br>
debug2: fd 3 setting O_NONBLOCK<br>debug2: Network child is on pid 31066<br>debug3: preauth child monitor started<br>debug3: mm_request_receive entering<br>debug3: privsep user:group 74:74<br>debug1: permanently_set_uid: 74/74<br>
debug1: list_hostkey_types: ssh-rsa,ssh-dss<br>debug1: SSH2_MSG_KEXINIT sent<br>debug3: Wrote 784 bytes for a total of 805<br>debug1: SSH2_MSG_KEXINIT received<br>debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br>
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br>debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
><br>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
><br>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96<br>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96<br>
debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a><br>debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a><br>debug2: kex_parse_kexinit: <br>debug2: kex_parse_kexinit: <br>
debug2: kex_parse_kexinit: first_kex_follows 0 <br>debug2: kex_parse_kexinit: reserved 0 <br>debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br>
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br>debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
><br>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
><br>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96<br>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96<br>
debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a>,zlib<br>debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a>,zlib<br>debug2: kex_parse_kexinit: <br>
debug2: kex_parse_kexinit: <br>debug2: kex_parse_kexinit: first_kex_follows 0 <br>debug2: kex_parse_kexinit: reserved 0 <br>debug2: mac_setup: found hmac-md5<br>debug1: kex: client->server aes128-ctr hmac-md5 none<br>debug2: mac_setup: found hmac-md5<br>
debug1: kex: server->client aes128-ctr hmac-md5 none<br>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received<br>debug3: mm_request_send entering: type 0<br>debug3: monitor_read: checking request 0<br>debug3: mm_answer_moduli: got parameters: 1024 1024 8192<br>
debug3: mm_request_send entering: type 1<br>debug2: monitor_read: 0 used once, disabling now<br>debug3: mm_request_receive entering<br>debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI<br>debug3: mm_request_receive_expect entering: type 1<br>
debug3: mm_request_receive entering<br>debug3: mm_choose_dh: remaining 0<br>debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent<br>debug3: Wrote 280 bytes for a total of 1085<br>debug2: dh_gen_key: priv key bits set: 131/256<br>debug2: bits set: 1044/2048<br>
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT<br>debug2: bits set: 1034/2048<br>debug3: mm_key_sign entering<br>debug3: mm_request_send entering: type 4<br>debug3: monitor_read: checking request 4<br>debug3: mm_answer_sign<br>
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN<br>debug3: mm_request_receive_expect entering: type 5<br>debug3: mm_request_receive entering<br>debug3: mm_answer_sign: signature 0x6a0450(271)<br>debug3: mm_request_send entering: type 5<br>
debug2: monitor_read: 4 used once, disabling now<br>debug3: mm_request_receive entering<br>debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent<br>debug2: kex_derive_keys<br>debug2: set_newkeys: mode 1<br>debug1: SSH2_MSG_NEWKEYS sent<br>
debug1: expecting SSH2_MSG_NEWKEYS<br>debug3: Wrote 848 bytes for a total of 1933<br>debug2: set_newkeys: mode 0<br>debug1: SSH2_MSG_NEWKEYS received<br>debug1: KEX done<br>debug3: Wrote 48 bytes for a total of 1981<br>debug1: userauth-request for user root service ssh-connection method none<br>
debug1: attempt 0 failures 0<br>debug3: mm_getpwnamallow entering<br>debug3: mm_request_send entering: type 6<br>debug3: monitor_read: checking request 6<br>debug3: mm_answer_pwnamallow<br>debug3: Trying to reverse map address 172.30.0.144.<br>
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM<br>debug3: mm_request_receive_expect entering: type 7<br>debug3: mm_request_receive entering<br>debug2: parse_server_config: config reprocess config len 301<br>debug3: auth_shadow_acctexpired: today 14841 sp_expire -1 days left -14842<br>
debug3: account expiration disabled<br>debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1<br>debug3: mm_request_send entering: type 7<br>debug2: monitor_read: 6 used once, disabling now<br>debug3: mm_request_receive entering<br>
debug2: input_userauth_request: setting up authctxt for root<br>debug3: mm_inform_authserv entering<br>debug3: mm_request_send entering: type 3<br>debug3: monitor_read: checking request 3<br>debug3: mm_answer_authserv: service=ssh-connection, style=<br>
debug2: monitor_read: 3 used once, disabling now<br>debug3: mm_request_receive entering<br>debug2: input_userauth_request: try method none<br>debug3: mm_auth_password entering<br>debug3: mm_request_send entering: type 10<br>
debug3: monitor_read: checking request 10<br>debug3: mm_answer_authpassword: sending result 0<br>debug3: mm_request_send entering: type 11<br>Failed none for root from 172.30.0.144 port 47460 ssh2<br>debug3: mm_request_receive entering<br>
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD<br>debug3: mm_request_receive_expect entering: type 11<br>debug3: mm_request_receive entering<br>debug3: mm_auth_password: user not authenticated<br>debug3: Wrote 80 bytes for a total of 2061<br>
debug1: userauth-request for user root service ssh-connection method publickey<br>debug1: attempt 1 failures 0<br>debug2: input_userauth_request: try method publickey<br>debug3: key_from_blob(..., 279)<br>debug3: x509key_from_blob: We have 279 bytes available in BIO<br>
debug3: x509key_from_blob: read X509 from BIO fail error:0D0680A8:lib(13):func(104):reason(168)<br>debug3: key_from_blob(..., ...) ktype=ssh-rsa<br>debug1: test whether pkalg/pkblob are acceptable<br>debug3: mm_key_allowed entering<br>
debug3: mm_request_send entering: type 20<br>debug3: monitor_read: checking request 20<br>debug3: mm_answer_keyallowed entering<br>debug3: key_from_blob(..., 279)<br>debug3: x509key_from_blob: We have 279 bytes available in BIO<br>
debug3: x509key_from_blob: read X509 from BIO fail error:0D0680A8:lib(13):func(104):reason(168)<br>debug3: key_from_blob(..., ...) ktype=ssh-rsa<br>debug3: mm_answer_keyallowed: key_from_blob: 0x69f7e0<br>debug1: temporarily_use_uid: 0/0 (e=0/0)<br>
debug1: trying public key file /root/.ssh/authorized_keys<br>debug1: fd 4 clearing O_NONBLOCK<br>debug3: secure_filename: checking '/root/.ssh'<br>debug3: secure_filename: checking '/root'<br>debug3: secure_filename: terminating check at '/root'<br>
debug3: key_read: type mismatch<br>debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root<br>'<br>debug2: key_type_from_name: unknown key type 'subject='<br>debug3: key_read: missing keytype<br>
debug2: user_key_allowed: advance: 'subject= /C=US/O=Trustwave/OU=dev/CN=root<br>'<br>debug1: restore_uid: 0/0<br>debug2: key not found<br>debug1: temporarily_use_uid: 0/0 (e=0/0)<br>debug1: trying public key file /root/.ssh/authorized_keys2<br>
debug1: restore_uid: 0/0<br>Failed publickey for root from 172.30.0.144 port 47460 ssh2<br>debug3: mm_answer_keyallowed: key 0x69f7e0 is not allowed<br>debug3: mm_request_send entering: type 21<br>debug3: mm_request_receive entering<br>
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED<br>debug3: mm_request_receive_expect entering: type 21<br>debug3: mm_request_receive entering<br>debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa<br>debug3: Wrote 80 bytes for a total of 2141<br>
debug1: userauth-request for user root service ssh-connection method publickey<br>debug1: attempt 2 failures 1<br>debug2: input_userauth_request: try method publickey<br>debug3: key_from_blob(..., 279)<br>debug3: x509key_from_blob: We have 279 bytes available in BIO<br>
debug3: x509key_from_blob: read X509 from BIO fail error:0D0680A8:lib(13):func(104):reason(168)<br>debug3: key_from_blob(..., ...) ktype=ssh-rsa<br>debug1: test whether pkalg/pkblob are acceptable<br>debug3: mm_key_allowed entering<br>
debug3: mm_request_send entering: type 20<br>debug3: monitor_read: checking request 20<br>debug3: mm_answer_keyallowed entering<br>debug3: key_from_blob(..., 279)<br>debug3: x509key_from_blob: We have 279 bytes available in BIO<br>
debug3: x509key_from_blob: read X509 from BIO fail error:0D0680A8:lib(13):func(104):reason(168)<br>debug3: key_from_blob(..., ...) ktype=ssh-rsa<br>debug3: mm_answer_keyallowed: key_from_blob: 0x69f680<br>debug1: temporarily_use_uid: 0/0 (e=0/0)<br>
debug1: trying public key file /root/.ssh/authorized_keys<br>debug1: fd 4 clearing O_NONBLOCK<br>debug3: secure_filename: checking '/root/.ssh'<br>debug3: secure_filename: checking '/root'<br>debug3: secure_filename: terminating check at '/root'<br>
d<font class="Apple-style-span" color="#FF0000">ebug3: key_read: type mismatch<br>debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root<br>'<br>debug2: key_type_from_name: unknown key type 'subject='<br>
debug3: key_read: missing keytype<br>debug2: user_key_allowed: advance: 'subject= /C=US/O=Trustwave/OU=dev/CN=root<br>'</font><br>debug1: restore_uid: 0/0<br>debug2: key not found<br>debug1: temporarily_use_uid: 0/0 (e=0/0)<br>
debug1: trying public key file /root/.ssh/authorized_keys2<br>debug1: restore_uid: 0/0<br>Failed publickey for root from 172.30.0.144 port 47460 ssh2<br>debug3: mm_answer_keyallowed: key 0x69f680 is not allowed<br>debug3: mm_request_send entering: type 21<br>
debug3: mm_request_receive entering<br>debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED<br>debug3: mm_request_receive_expect entering: type 21<br>debug3: mm_request_receive entering<br>debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa<br>
debug3: Wrote 80 bytes for a total of 2221<br>debug1: userauth-request for user root service ssh-connection method keyboard-interactive<br>debug1: attempt 3 failures 2<br>debug2: input_userauth_request: try method keyboard-interactive<br>
debug1: keyboard-interactive devs <br>debug1: auth2_challenge: user=root devs=<br>debug1: kbdint_alloc: devices ''<br>debug2: auth2_challenge_start: devices <br>debug3: Wrote 80 bytes for a total of 2301<br><br>======<div>
<br></div><div><br></div><div><br></div><div><br>On the client:<br>==========<div><div>ssh -vv -# /usr/lib64/opencryptoki/PKCS11_API.so:1:0:1   <a href="mailto:root (at) 172.30.0 (dot) 104 [email concealed]">root (at) 172.30.0 (dot) 104 [email concealed]</a></div><div>OpenSSH_
5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009</div>
<div>debug1: Reading configuration data /etc/ssh/ssh_config</div><div>debug1: PKCS#11: Adding PKCS#11 provider '/usr/lib64/opencryptoki/PKCS11_API.so'</div><div>debug2: PKCS#11: Adding provider '/usr/lib64/opencryptoki/PKCS11_API.so'-'/usr/lib64/opencryp
toki/PKCS11_API.so'</div>
<div>debug2: PKCS#11: Provider '/usr/lib64/opencryptoki/PKCS11_API.so' added rv=0-'CKR_OK'</div><div>debug2: ssh_connect: needpriv 0</div><div>debug1: Connecting to 172.30.0.104 [172.30.0.104] port 22.</div>
<div>debug1: Connection established.</div><div>debug1: permanently_set_uid: 0/0</div><div>debug2: PKCS#11: Creating a new session</div><div>debug2: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'</div>
<div>debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'</div><div>Please enter PIN for token 'trustwave-ks': </div><div>debug2: PKCS#11: pin_prompt hook return rv=0</div><div>debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'</div>
<div>Please enter PIN for token 'trustwave-ks': </div><div>debug2: PKCS#11: pin_prompt hook return rv=0</div><div>debug2: PKCS#11: Using cached session</div><div>debug2: PKCS#11: Using cached session</div><div>debug1: identity file /root/.ssh/identity type -1</div>
<div>debug1: identity file /root/.ssh/id_rsa type -1</div><div>debug1: identity file /root/.ssh/id_dsa type -1</div><div>debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3</div><div>debug1: match: OpenSSH_5.3 pat OpenSSH*</div>
<div>debug1: Enabling compatibility mode for protocol 2.0</div><div>debug1: Local version string SSH-2.0-OpenSSH_5.3</div><div>debug2: fd 6 setting O_NONBLOCK</div><div>debug1: SSH2_MSG_KEXINIT sent</div><div>debug1: SSH2_MSG_KEXINIT received</div>
<div>debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1</div><div>debug2:
kex_parse_kexinit: ssh-rsa,ssh-dss</div><div>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
></div>
<div>debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
></div>
<div>debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96</div>
<div>debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96</div>
<div>debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a>,zlib</div><div>debug
2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a>,zlib</div><div>debug
2: kex_parse_kexinit: </div>
<div>debug2: kex_parse_kexinit: </div><div>debug2: kex_parse_kexinit: first_kex_follows 0 </div><div>debug2: kex_parse_kexinit: reserved 0 </div><div>debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1</div>
<div>debug2: kex_parse_kexinit: ssh-rsa,ssh-dss</div><div>debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
></div>
<div>debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc (at) lysator.liu (dot) se [email concealed]">rijndael-cbc (at) lysator.liu (dot) se [email concealed]</a
></div>
<div>debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96</div>
<div>debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="mailto:umac-64 (at) openssh (dot) com [email concealed]">umac-64 (at) openssh (dot) com [email concealed]</a>,hmac-ripemd160
,<a href="mailto:hmac-ripemd160 (at) openssh (dot) com [email concealed]">hmac-ripemd160 (at) openssh (dot) com [email concealed]</a>,
hmac-sha1-96,hmac-md5-96</div>
<div>debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a></div><div>debug2: kex_parse_kexinit: none,<a href="mailto:zlib (at) openssh (dot) com [email concealed]">zlib (at) openssh (dot) com [email concealed]</a></div><div>debug2: kex_parse_kexinit: </div>
<div>debug2: kex_parse_kexinit: </div><div>debug2: kex_parse_kexinit: first_kex_follows 0 </div><div>debug2: kex_parse_kexinit: reserved 0 </div><div>debug2: mac_setup: found hmac-md5</div><div>debug1: kex: server->client aes128-ctr hmac-md5 none</div>
<div>debug2: mac_setup: found hmac-md5</div><div>debug1: kex: client->server aes128-ctr hmac-md5 none</div><div>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent</div><div>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP</div>
<div>debug2: dh_gen_key: priv key bits set: 995/2048</div><div>debug2: bits set: 1034/2048</div><div>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent</div><div>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY</div><div>debug1: Host '172.30.0.104' is known and matches the RSA host key.</div>
<div>debug1: Found key in /root/.ssh/known_hosts:1</div><div>debug2: bits set: 1044/2048</div><div>debug1: ssh_rsa_verify: signature correct</div><div>debug2: kex_derive_keys</div><div>debug2: set_newkeys: mode 1</div><div>
debug1: SSH2_MSG_NEWKEYS sent</div><div>debug1: expecting SSH2_MSG_NEWKEYS</div><div>debug2: set_newkeys: mode 0</div><div>debug1: SSH2_MSG_NEWKEYS received</div><div>debug1: SSH2_MSG_SERVICE_REQUEST sent</div><div>debug2: service_accept: ssh-userauth</div>
<div>debug1: SSH2_MSG_SERVICE_ACCEPT received</div><div>debug2: key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=<a href="http://c709.e-lab.itactics.com">c709.e-lab.itactics.com</a> on trustwave-ks (0x6813a0)</div><div>debug2: key: /C=US/O=Trustwave/OU=dev/CN=root on trustwave-ks (0x67f220)</div>
<div>debug2: key: /root/.ssh/identity ((nil))</div><div>debug2: key: /root/.ssh/id_rsa ((nil))</div><div>debug2: key: /root/.ssh/id_dsa ((nil))</div><div>debug1: Authentications that can continue: publickey,password,keyboard-interactive</div>
<div>debug1: Next authentication method: publickey</div><div>debug1: Offering public key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=<a href="http://c709.e-lab.itactics.com">c709.e-lab.itactics.com</a> on trustwave-ks</div><div>
debug2: we sent a publickey packet, wait for reply</div><div>debug1: Authentications that can continue: publickey,password,keyboard-interactive</div><div><font class="Apple-style-span" color="#FF0000">debug1: Offering public key: /C=US/O=Trustwave/OU=dev/CN=root on trustwave-ks</font></div>
<div><font class="Apple-style-span" color="#FF0000">debug2: we sent a publickey packet, wait for reply</font></div><div>debug1: Authentications that can continue: publickey,password,keyboard-interactive</div><div>debug1: Trying private key: /root/.ssh/identity</div>
<div>debug1: Trying private key: /root/.ssh/id_rsa</div><div>debug1: Trying private key: /root/.ssh/id_dsa</div><div>debug2: we did not send a packet, disable method</div><div>debug1: Next authentication method: keyboard-interactive</div>
<div>debug2: userauth_kbdint</div><div>debug2: we sent a keyboard-interactive packet, wait for reply</div><div>debug1: Authentications that can continue: publickey,password,keyboard-interactive</div><div>debug2: we did not send a packet, disable method</div>
<div>debug1: Next authentication method: password</div><div><a href="mailto:root (at) 172.30.0 (dot) 104 [email concealed]">root (at) 172.30.0 (dot) 104 [email concealed]</a>'s password: </div></div><div><br></div><div><br></div><div><br></div><div>
==========<br><br><br></div>
<div><br></div><div><br></div><div>I don't understand the reason for key mismatch if the same keys are being sent by the client as they are in the authorized_keys file on the server.</div><div><br></div><div><br></div>
<div><br></div><div>Any help will be appreciated.</div><div><br></div><div><br></div><div>Thanks</div><div>Sh
ravan<br><br><br></div></div>

[ reply ]
Re: openssh/x.509/pkcs11 Aug 22 2010 05:03PM
Vir Calimlim (virbcal gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus