Mailing List Archive

Adriana Rodean wrote:
> Hi all,
>
> Does anyone know if it exists a patch for OpenSSH for Windows to allow
> authentication through certificates?
> Is it possible to make one if it doesn't exists?
> Using OpenSSH for Windows 3.8p1-1 20040709 Build.
>
> I know there is Roumen Petrov patch, but is for unix machines if i'm
> not mistaken.
> I need a similar one for Windows that work with the Roumen Petrov
> patch so i can have authentication through certificates between
> Windows machine and Linux machine.
>
> Any help greatly appreciated,
> Adriana

Did you try the patch on cygwin platform ? The patch don't use specific
to the unix/posix methods(functions).

Roumen


--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

Hi,

Thanks Roumen for the input. Can you or someone help me patch openssh
with your X509 certificates patch and install it in Cygwin?
I've searched on google haven't found any guide how to patch it in cygwin.
I installed Cygwin with openssh. Don't know what to do further.

Please help, i'm not a Linux user, and is first time i use Cygwin.
Help please,

Thanks,
Adriana

On Tue, Dec 23, 2008 at 11:37, Roumen Petrov <openssh@roumenpetrov.info> wrote:
>
> Adriana Rodean wrote:
>>
>> Hi all,
>>
>> Does anyone know if it exists a patch for OpenSSH for Windows to allow
>> authentication through certificates?
>> Is it possible to make one if it doesn't exists?
>> Using OpenSSH for Windows 3.8p1-1 20040709 Build.
>>
>> I know there is Roumen Petrov patch, but is for unix machines if i'm
>> not mistaken.
>> I need a similar one for Windows that work with the Roumen Petrov
>> patch so i can have authentication through certificates between
>> Windows machine and Linux machine.
>>
>> Any help greatly appreciated,
>> Adriana
>
> Did you try the patch on cygwin platform ? The patch don't use specific
> to the unix/posix methods(functions).
>
> Roumen
>
>
> --
> Get X.509 certificates support in OpenSSH:
> http://roumenpetrov.info/openssh/

Adriana Rodean wrote:
> Hi,
>
> Thanks Roumen for the input. Can you or someone help me patch openssh
> with your X509 certificates patch and install it in Cygwin?
> I've searched on google haven't found any guide how to patch it in cygwin.
> I installed Cygwin with openssh. Don't know what to do further.
>
> Please help, i'm not a Linux user, and is first time i use Cygwin.
> Help please,

There is noting special. It is related more to how to build a software
for source code instead to experience is a particular platform.

As you question is how to build software from source code I remove
openssh-unix-dev@mindrot.org from response. As start you may try to
build a program from source, i.e. to find what to you need to build -
build tools (compiler, linker and etc), C header files and libraries.
Next is to build a package. After this is how to patch source code and
to build. I could help you after setup of a working "build environment".


> Thanks,
> Adriana
[SNIP]


--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

Hi all,

We patched it on cygwin and got executables to run, but when I try to
connect to server I got the following from client:



Debug3: ssh_x509cert_check: for ‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’

ssh_x509store_cb: subject=‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’, error

20 at 0 depth lookup:unable to get local issuer certificate

Ssh_verify_cert: verify error, code=20, msg=’ unable to get local
issuer certificate’



I run executable under Windows with cygwin dlls in same folder.



Thank you,

Adriana.

Hi Adriana ,
Adriana Rodean wrote:
> Hi all,
>
> We patched it on cygwin and got executables to run, but when I try to
> connect to server I got the following from client:
>
>
>
> Debug3: ssh_x509cert_check: for ‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’
>
> ssh_x509store_cb: subject=‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’, error
>
> 20 at 0 depth lookup:unable to get local issuer certificate
>
> Ssh_verify_cert: verify error, code=20, msg=’ unable to get local
> issuer certificate’
>
> I run executable under Windows with cygwin dlls in same folder.
>
> Thank you,
> Adriana.


To verify server certificate you need "trust certificate chain".
See ssh_config manual page for "x509_store" optionslike
CACertificateFile and CACertificatePath and also UserCACertificateFile
and UserCACertificatePath.

You could check openssh x509 store with openssl command:
$ openssl --verify [-CApath directory] [-CAfile file] certificate

In you case openssl arguments -CApath -CAfile correspond to openssh
config options {|User}CACertificatePath {|User}CACertificateFile and
certificate is you server certificate.

Roumen

Hi Roumen,

I fixed the certificate validation, so it return 1(trusted) now, but I
still can’t go on. After everything seem to be OK, certificate
validated,
Client tries to authenticate with keyboard.interactive. This of course
doesn’t work and connection is closed.

Here is output from server (started with option -d):
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key begin
debug1: read X509 certificate done: type RSA+cert
debug1: read PEM private key done: type RSA+cert
debug1: private host key: #0 type 3 RSA+cert
debug1: rexec_argv[0]='/usr/local/openssh/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.3.3.10 port 1080
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 1001/1001
debug1: list_hostkey_types: x509v3-sign-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user administrator service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: userauth-request for user administrator service ssh-connection
method keyboard-interactive
debug1: attempt 1 failures 0
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=administrator devs=
debug1: kbdint_alloc: devices ''
Connection closed by 10.3.3.10
debug1: do_cleanup

and ouput from client (started with option -v):
OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
debug1: Reading configuration data c:\\openssh\\bin\\ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to 10.3.3.12 [10.3.3.12] port 22.
debug1: Connection established.
debug1: identity file C:/OpenSSH/Certs/id_rsa type 3
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.3.3.12' is known and matches the RSA+cert host key.
debug1: Found key in /home/Administrator.JOGE/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.

What did I miss?
Thank you,
Adriana.


On Sat, Mar 7, 2009 at 22:49, Roumen Petrov <openssh@roumenpetrov.info> wrote:
> Hi Adriana ,
> Adriana Rodean wrote:
>>
>> Hi all,
>>
>> We patched it on cygwin and got executables to run, but when I try to
>> connect to server I got the following from client:
>>
>>
>>
>> Debug3: ssh_x509cert_check: for ‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty
>> Ltd’
>>
>> ssh_x509store_cb: subject=‘c=ME,ST=ME,L=ME,O=Internet Widgits Pty Ltd’,
>> error
>>
>> 20 at 0 depth lookup:unable to get local issuer certificate
>>
>> Ssh_verify_cert: verify error, code=20, msg=’ unable to get local
>> issuer certificate’
>>
>> I run executable under Windows with cygwin dlls in same folder.
>>
>> Thank you,
>> Adriana.
>
>
> To verify server certificate you need "trust certificate chain".
> See ssh_config manual page for "x509_store" optionslike CACertificateFile
> and CACertificatePath and also UserCACertificateFile and
> UserCACertificatePath.
>
> You could check openssh x509 store with openssl command:
> $ openssl --verify [-CApath directory] [-CAfile file] certificate
>
> In you case openssl arguments -CApath -CAfile correspond to openssh config
> options {|User}CACertificatePath {|User}CACertificateFile and certificate is
> you server certificate.
>
> Roumen
>

Adriana Rodean wrote:
> Hi Roumen,
>
> I fixed the certificate validation, so it return 1(trusted) now, but I
> still can’t go on. After everything seem to be OK, certificate
> validated,
> Client tries to authenticate with keyboard.interactive. This of course
> doesn’t work and connection is closed.
>
> Here is output from server (started with option -d):
> debug1: ssh_set_validator: ignore responder url
> debug1: sshd version OpenSSH_5.1p1
> debug1: read PEM private key begin
> debug1: read X509 certificate done: type RSA+cert
> debug1: read PEM private key done: type RSA+cert
> debug1: private host key: #0 type 3 RSA+cert
[SNIP]
> method keyboard-interactive
[SNIP]

> and ouput from client (started with option -v):
> OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
> debug1: Reading configuration data c:\\openssh\\bin\\ssh_config
> debug1: ssh_set_validator: ignore responder url
> debug1: Connecting to 10.3.3.12 [10.3.3.12] port 22.
> debug1: Connection established.
> debug1: identity file C:/OpenSSH/Certs/id_rsa type 3
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH*
[SNIP]
> debug1: Host '10.3.3.12' is known and matches the RSA+cert host key.
> debug1: Found key in /home/Administrator.JOGE/.ssh/known_hosts:1
[SNIP]
> debug1: Authentications that can continue: keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue: keyboard-interactive
[SNIP]
> What did I miss?

Check the client option PreferredAuthentications. In you case may be is
only keyboard-interactive. The default is "hostbased, publickey,
keyboard-interactive, password". For certificates it has to contain
publickey or hostbased. Lets start with publickey.
Also check client options PubkeyAuthentication and PubkeyAlgorithms.

On the server check server options PubkeyAuthentication and
PubkeyAlgorithms.

Initially you may left PubkeyAlgorithms as default.

[SNIP]

Roumen

Hi Roumen,

I changed config files as you said and now it works, thanks for help!
But I am in doubt if the way it works now is the right one. I had to
copy clients public key to authorized_keys file on server machine, and
servers public key to known_hosts file on client machine.
It seems pretty much as usual PKI authentication now, except that
client and server send certificates to each other.

Is that possible by any way to avoid public key storage and just use
certificates validation? Like if certificate is OK – no need to have
public key from this certificate in authorized_key or known_hosts.

Thank you,
Adriana.