Secure Shell
getting host certificates working Sep 03 2010 02:58PM
Konrad Bucheli (kb open ch) (1 replies)
Hi there

I currently trying certificate based authentication with ssh and was
successful with user authentication, but failed to configure host
authentication.

I have the newest and shiniest version:

kb@kb-pc:~$ ssh -v
OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009

Created a CA key:

ssh-keygen -t dsa -f ca_root

Signed the host key:

ssh-keygen -s ca_root -I kb-pc -h /usr/local/etc/ssh_host_dsa_key.pub

Added the certificate after the host key to /usr/local/etc/sshd_config:

HostKey /usr/local/etc/ssh_host_dsa_key
HostCertificate /usr/local/etc/ssh_host_dsa_key-cert.pub

Added the CA public key to ~/.ssh/known_hosts:

@cert-authority * ssh-dss AAAAB3NzaC1kc3MAA...

and tried to log in:

kb@kb-pc:~$ ssh -v root@localhost
OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/kb/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/kb/.ssh/id_rsa type -1
debug1: identity file /home/kb/.ssh/id_rsa-cert type -1
debug1: identity file /home/kb/.ssh/id_dsa type 2
debug1: ssh_dss_verify: signature correct
debug1: identity file /home/kb/.ssh/id_dsa-cert type 4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (::1)' can't be established.
DSA key fingerprint is 96:2e:ae:c2:4a:b8:24:0d:ee:1d:18:73:29:ad:72:e8.
Are you sure you want to continue connecting (yes/no)?

Which was not the result I expected. do I miss something?

strace /usr/local/sbin/sshd

indicates that the cerificate is read:

munmap(0xb774a000, 4096) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
read(3, "ssh-dss-cert-v01 (at) openssh (dot) com [email concealed] AAA"..., 1454) = 1454
close(3) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb774a000
read(3, "ssh-dss-cert-v01 (at) openssh (dot) com [email concealed] AAA"..., 4096) = 1454
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb774a000, 4096) = 0
open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb774a000
read(3, "ssh-dss-cert-v01 (at) openssh (dot) com [email concealed] AAA"..., 4096) = 1454
close(3) = 0

Any idea?

Thanks and regards

Konrad Bucheli

--
konrad bucheli
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 44 455 74 00
f: +41 44 455 74 01
kb (at) open (dot) ch [email concealed]

http://www.open.ch

[ reply ]
Re: getting host certificates working Sep 07 2010 12:48PM
Konrad Bucheli (kb open ch)


 

Privacy Statement
Copyright 2010, SecurityFocus