[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help request for authentication with certicates
[Thread Prev] | [Thread Next]
- Subject: Re: Help request for authentication with certicates
- From: Marco <bna.marco@xxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 28 Oct 2021 10:19:15 +0200
- To: libssh@xxxxxxxxxx
At server side I have:
Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256:
mm_answer_keyallowed: publickey authentication test: ED25519-CERT key is
allowed
Postponed publickey for root from 10.10.70.100 port 50909 ssh2
userauth_pubkey: valid user root attempting public key ssh-ed25519
userauth_pubkey: have ssh-ed25519 signature for ED25519 SHA256:
trying public key file /etc/ssh/auth_keys/root
Could not open authorized keys '/etc/ssh/auth_keys/root': No such file or
directory
mm_answer_keyallowed: publickey authentication: ED25519 key is not allowed
Failed publickey for root from 10.10.70.100 port 53113 ssh2: ED25519 SHA256:
userauth_finish: failure partial=0 next methods="publickey,password"
Thanks in advance for any help!
Marco
Il giorno gio 28 ott 2021 alle ore 09:12 Marco <bna.marco@xxxxxxxxx> ha
scritto:
> Hi.
> You are right. Libssh does not scan automatically for certificate or
> public key.
> While OpenSSH does it (or I can force certicate file using "-o
> CertificateFile" if I remember correctly), with libssh I do this:
>
> <code>
> #include <cstdlib>
> #include <cstdio>
> #include <iostream>
> #include <iomanip>
> #include <libssh/libssh.h>
> #include <libssh/libsshpp.hpp>
>
> int main(int argc, char* argv[]) {
> ssh::Session mySession;
>
> int port = 22;
> int verbosity = SSH_LOG_TRACE;
>
> try {
> mySession.setOption(ssh_options_e::SSH_OPTIONS_HOST, "10.10.70.2");
> mySession.setOption(ssh_options_e::SSH_OPTIONS_PORT, &port);
> mySession.setOption(ssh_options_e::SSH_OPTIONS_LOG_VERBOSITY,
> &verbosity);
> mySession.setOption(ssh_options_e::SSH_OPTIONS_USER, "root");
>
> mySession.connect();
>
> ssh_key certKey;
> if (ssh_pki_import_cert_file("myFile-cert.pub", &certKey) ==
> SSH_AUTH_SUCCESS) {
> if (mySession.userauthTryPublickey(certKey) == SSH_OK) {
> std::cout << "PUB IS OK --> PROVIDE PRIV" << std::endl;
>
> ssh_key privKey;
> if (ssh_pki_import_privkey_file("myFile", "mypassword", NULL,
> NULL, &privKey) == SSH_OK) {
> std::cout << "PRIV KEY OK" << std::endl;
>
> int res = mySession.userauthPublickey(privKey);
> if (res == SSH_AUTH_SUCCESS) {
> std::cout << "Authenticated" << std::endl;
> } else {
> std::cout << "RES = " << res << std::endl;
> std::cout << "!!!!! AUTH - " <<
>
> ssh_get_error_code(mySession.getCSession()) << ": " <<
>
> ssh_get_error(mySession.getCSession()) << std::endl;
> }
>
> mySession.disconnect();
>
> ssh_key_free(certKey);
> ssh_key_free(privKey);
> } else {
> std::cout << "!!!!! LOAD PRIV - " <<
> ssh_get_error_code(mySession.getCSession()) << ": "
> <<
> ssh_get_error(mySession.getCSession()) << std::endl;
> }
> } else {
> std::cout << "!!!!! TRY PUB - " <<
> ssh_get_error_code(mySession.getCSession()) << ": " <<
> ssh_get_error(mySession.getCSession()) << std::endl;
> }
> } else {
> std::cout << "!!!!! IMPORT CERT - " <<
> ssh_get_error_code(mySession.getCSession()) << ": " <<
> ssh_get_error(mySession.getCSession()) << std::endl;
> }
>
>
> } catch (ssh::SshException& sshExc) {
> std::cout << "!!!!! EXC: " << sshExc.getCode() << ": " <<
> sshExc.getError() << std::endl;
> }
>
>
> return EXIT_SUCCESS;
> }
> </code>
>
> <code>
> [2021/10/28 09:08:42.447359, 3] ssh_config_parse_file: Reading
> configuration data from /etc/ssh/ssh_config
> [2021/10/28 09:08:42.449523, 2] ssh_config_parse_line: Unapplicable
> option: SendEnv, line: 50
> [2021/10/28 09:08:42.449664, 1] ssh_config_parse_line: Unsupported
> option: HashKnownHosts, line: 51
> [2021/10/28 09:08:42.449691, 2] ssh_connect: libssh 0.9.3 (c) 2003-2019
> Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed
> under the LGPL, please refer to COPYING file for information about your
> rights, using threading threads_pthread
> [2021/10/28 09:08:42.449702, 3] getai: host 10.10.70.2 matches an IP
> address
> [2021/10/28 09:08:42.449970, 2] ssh_socket_connect: Nonblocking
> connection socket: 3
> [2021/10/28 09:08:42.450030, 2] ssh_connect: Socket connecting, now
> waiting for the callbacks to work
> [2021/10/28 09:08:42.450044, 3] ssh_connect: Actual timeout : 10000
> [2021/10/28 09:08:42.453983, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.454099, 3] ssh_socket_pollcallback: Received POLLOUT
> in connecting state
> [2021/10/28 09:08:42.454123, 1] socket_callback_connected: Socket
> connection callback: 1 (0)
> [2021/10/28 09:08:42.454330, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.454391, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.508991, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.509092, 3] callback_receive_banner: Received banner:
> SSH-2.0-OpenSSH_8.2
> [2021/10/28 09:08:42.509110, 2] ssh_client_connection_callback: SSH
> server banner: SSH-2.0-OpenSSH_8.2
> [2021/10/28 09:08:42.509121, 2] ssh_analyze_banner: Analyzing banner:
> SSH-2.0-OpenSSH_8.2
> [2021/10/28 09:08:42.509142, 2] ssh_analyze_banner: We are talking to an
> OpenSSH client version: 8.2 (80200)
> [2021/10/28 09:08:42.509334, 3] ssh_client_select_hostkeys: Order of
> wanted host keys:
> "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
> [2021/10/28 09:08:42.512701, 3] ssh_client_select_hostkeys: Algorithms
> found in known_hosts files: "ecdsa-sha2-nistp256"
> [2021/10/28 09:08:42.512792, 3] ssh_client_select_hostkeys: Changing host
> key method to
> "ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
> [2021/10/28 09:08:42.512851, 4] ssh_list_kex: kex algos:
> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
> [2021/10/28 09:08:42.512877, 4] ssh_list_kex: server host key algo:
> ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
> [2021/10/28 09:08:42.512889, 4] ssh_list_kex: encryption client->server:
> aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
> [2021/10/28 09:08:42.512929, 4] ssh_list_kex: encryption server->client:
> aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
> [2021/10/28 09:08:42.512942, 4] ssh_list_kex: mac algo client->server:
> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [2021/10/28 09:08:42.512952, 4] ssh_list_kex: mac algo server->client:
> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [2021/10/28 09:08:42.512961, 4] ssh_list_kex: compression algo
> client->server: none
> [2021/10/28 09:08:42.512970, 4] ssh_list_kex: compression algo
> server->client: none
> [2021/10/28 09:08:42.513010, 4] ssh_list_kex: languages client->server:
> [2021/10/28 09:08:42.513023, 4] ssh_list_kex: languages server->client:
> [2021/10/28 09:08:42.513145, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.513199, 3] packet_send2: packet: wrote [type=20,
> len=940, padding_size=4, comp=935, payload=935]
> [2021/10/28 09:08:42.513212, 3] ssh_send_kex: SSH_MSG_KEXINIT sent
> [2021/10/28 09:08:42.513229, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.513238, 4] ssh_socket_pollcallback: sending control
> flow event
> [2021/10/28 09:08:42.513248, 4] ssh_packet_socket_controlflow_callback:
> sending channel_write_wontblock callback
> [2021/10/28 09:08:42.514538, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.514643, 3] ssh_packet_socket_callback: packet: read
> type 20 [len=996,padding=9,comp=986,payload=986]
> [2021/10/28 09:08:42.514663, 3] ssh_packet_process: Dispatching handler
> for packet type 20
> [2021/10/28 09:08:42.514684, 4] ssh_list_kex: kex algos:
> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
> [2021/10/28 09:08:42.514761, 4] ssh_list_kex: server host key algo:
> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx
> [2021/10/28 09:08:42.514784, 4] ssh_list_kex: encryption client->server:
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> [2021/10/28 09:08:42.514800, 4] ssh_list_kex: encryption server->client:
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> [2021/10/28 09:08:42.514817, 4] ssh_list_kex: mac algo client->server:
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [2021/10/28 09:08:42.514874, 4] ssh_list_kex: mac algo server->client:
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [2021/10/28 09:08:42.514893, 4] ssh_list_kex: compression algo
> client->server: none
> [2021/10/28 09:08:42.514900, 4] ssh_list_kex: compression algo
> server->client: none
> [2021/10/28 09:08:42.514909, 4] ssh_list_kex: languages client->server:
> [2021/10/28 09:08:42.514973, 4] ssh_list_kex: languages server->client:
> [2021/10/28 09:08:42.515048, 2] ssh_kex_select_methods: Negotiated
> curve25519-sha256,ssh-ed25519,aes256-gcm@xxxxxxxxxxx,
> aes256-gcm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,
> hmac-sha2-256-etm@xxxxxxxxxxx,none,none,,
> [2021/10/28 09:08:42.515917, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.516506, 3] packet_send2: packet: wrote [type=30,
> len=44, padding_size=6, comp=37, payload=37]
> [2021/10/28 09:08:42.516551, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.516652, 4] ssh_socket_pollcallback: sending control
> flow event
> [2021/10/28 09:08:42.516671, 4] ssh_packet_socket_controlflow_callback:
> sending channel_write_wontblock callback
> [2021/10/28 09:08:42.573762, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.573901, 3] ssh_packet_socket_callback: packet: read
> type 31 [len=188,padding=8,comp=179,payload=179]
> [2021/10/28 09:08:42.573927, 3] ssh_packet_process: Dispatching handler
> for packet type 31
> [2021/10/28 09:08:42.574199, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.574264, 3] packet_send2: packet: wrote [type=21,
> len=12, padding_size=10, comp=1, payload=1]
> [2021/10/28 09:08:42.574282, 4] ssh_packet_set_newkeys: called, direction
> = OUT
> [2021/10/28 09:08:42.574487, 3] crypt_set_algorithms2: Set output
> algorithm to aes256-gcm@xxxxxxxxxxx
> [2021/10/28 09:08:42.574561, 3] crypt_set_algorithms2: Set HMAC output
> algorithm to aead-gcm
> [2021/10/28 09:08:42.574580, 3] crypt_set_algorithms2: Set input
> algorithm to aes256-gcm@xxxxxxxxxxx
> [2021/10/28 09:08:42.574593, 3] crypt_set_algorithms2: Set HMAC input
> algorithm to aead-gcm
> [2021/10/28 09:08:42.574620, 2] ssh_init_rekey_state: Set rekey after
> 4294967296 blocks
> [2021/10/28 09:08:42.574687, 2] ssh_init_rekey_state: Set rekey after
> 4294967296 blocks
> [2021/10/28 09:08:42.574714, 2] ssh_packet_client_curve25519_reply:
> SSH_MSG_NEWKEYS sent
> [2021/10/28 09:08:42.574728, 3] ssh_packet_socket_callback: Processing
> 244 bytes left in socket buffer
> [2021/10/28 09:08:42.574741, 3] ssh_packet_socket_callback: packet: read
> type 21 [len=12,padding=10,comp=1,payload=1]
> [2021/10/28 09:08:42.574755, 3] ssh_packet_process: Dispatching handler
> for packet type 21
> [2021/10/28 09:08:42.574764, 2] ssh_packet_newkeys: Received
> SSH_MSG_NEWKEYS
> [2021/10/28 09:08:42.574781, 4] ssh_pki_signature_verify: Going to verify
> a ssh-ed25519 type signature
> [2021/10/28 09:08:42.575037, 4] pki_verify_data_signature: Signature valid
> [2021/10/28 09:08:42.575092, 2] ssh_packet_newkeys: Signature verified
> and valid
> [2021/10/28 09:08:42.575104, 4] ssh_packet_set_newkeys: called, direction
> = IN
> [2021/10/28 09:08:42.575114, 3] ssh_packet_socket_callback: Processing
> 228 bytes left in socket buffer
> [2021/10/28 09:08:42.575129, 3] ssh_packet_socket_callback: packet: read
> type 7 [len=208,padding=4,comp=203,payload=203]
> [2021/10/28 09:08:42.575140, 3] ssh_packet_process: Dispatching handler
> for packet type 7
> [2021/10/28 09:08:42.575149, 3] ssh_packet_ext_info: Received
> SSH_MSG_EXT_INFO
> [2021/10/28 09:08:42.575158, 3] ssh_packet_ext_info: Follows 1 extensions
> [2021/10/28 09:08:42.575168, 3] ssh_packet_ext_info: Extension:
> server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@xxxxxxxxxxx
> ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> sk-ecdsa-sha2-nistp256@xxxxxxxxxxx>
> [2021/10/28 09:08:42.575212, 3] ssh_connect: current state : 7
> [2021/10/28 09:08:42.577743, 3] ssh_key_algorithm_allowed: Checking
> ssh-ed25519-cert-v01@xxxxxxxxxxx with list <
> ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx
> ,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,
> ssh-dss-cert-v01@xxxxxxxxxxx
> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
> [2021/10/28 09:08:42.577862, 3] packet_send2: packet: wrote [type=5,
> len=32, padding_size=14, comp=17, payload=17]
> [2021/10/28 09:08:42.577883, 3] ssh_service_request: Sent
> SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
> [2021/10/28 09:08:42.577902, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 52
> [2021/10/28 09:08:42.578031, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.578102, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.578117, 4] ssh_socket_pollcallback: sending control
> flow event
> [2021/10/28 09:08:42.578126, 4] ssh_packet_socket_controlflow_callback:
> sending channel_write_wontblock callback
> [2021/10/28 09:08:42.579018, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.579115, 3] ssh_packet_socket_callback: packet: read
> type 6 [len=32,padding=14,comp=17,payload=17]
> [2021/10/28 09:08:42.579138, 3] ssh_packet_process: Dispatching handler
> for packet type 6
> [2021/10/28 09:08:42.579152, 3] ssh_packet_service_accept: Received
> SSH_MSG_SERVICE_ACCEPT
> [2021/10/28 09:08:42.579283, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.579353, 3] packet_send2: packet: wrote [type=50,
> len=528, padding_size=6, comp=521, payload=521]
> [2021/10/28 09:08:42.579376, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.579389, 4] ssh_socket_pollcallback: sending control
> flow event
> [2021/10/28 09:08:42.579402, 4] ssh_packet_socket_controlflow_callback:
> sending channel_write_wontblock callback
> [2021/10/28 09:08:42.656812, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.656908, 3] ssh_packet_socket_callback: packet: read
> type 60 [len=496,padding=14,comp=481,payload=481]
> [2021/10/28 09:08:42.656928, 3] ssh_packet_process: Dispatching handler
> for packet type 60
> [2021/10/28 09:08:42.656941, 4] ssh_packet_userauth_pk_ok: Received
> SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE
> [2021/10/28 09:08:42.656992, 4] ssh_packet_userauth_pk_ok: Assuming
> SSH_USERAUTH_PK_OK
> PUB IS OK --> PROVIDE PRIV
> [2021/10/28 09:08:42.659075, 2] ssh_pki_import_privkey_base64: Trying to
> decode privkey passphrase=true
> [2021/10/28 09:08:42.659222, 2] ssh_pki_openssh_import: Opening OpenSSH
> private key: ciphername: aes256-ctr, kdf: bcrypt, nkeys: 1
> [2021/10/28 09:08:42.659301, 3] pki_private_key_decrypt: Decryption: 32
> key, 16 IV, 16 rounds, 16 bytes salt
> PRIV KEY OK
> [2021/10/28 09:08:42.825385, 3] ssh_key_algorithm_allowed: Checking
> ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,
> ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx
> ,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,
> ssh-dss-cert-v01@xxxxxxxxxxx
> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
> [2021/10/28 09:08:42.825710, 3] ssh_socket_unbuffered_write: Enabling
> POLLOUT for socket
> [2021/10/28 09:08:42.825779, 3] packet_send2: packet: wrote [type=50,
> len=208, padding_size=9, comp=198, payload=198]
> [2021/10/28 09:08:42.825803, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLOUT ), out buffer 0
> [2021/10/28 09:08:42.825819, 4] ssh_socket_pollcallback: sending control
> flow event
> [2021/10/28 09:08:42.825835, 4] ssh_packet_socket_controlflow_callback:
> sending channel_write_wontblock callback
> [2021/10/28 09:08:42.832362, 4] ssh_socket_pollcallback: Poll callback on
> socket 3 (POLLIN ), out buffer 0
> [2021/10/28 09:08:42.832464, 3] ssh_packet_socket_callback: packet: read
> type 51 [len=48,padding=13,comp=34,payload=34]
> [2021/10/28 09:08:42.832482, 3] ssh_packet_process: Dispatching handler
> for packet type 51
> [2021/10/28 09:08:42.832528, 1] ssh_packet_userauth_failure: Access
> denied for 'publickey'. Authentication that can continue:
> publickey,password,hostbased
> [2021/10/28 09:08:42.832576, 2] ssh_packet_userauth_failure: Access
> denied for 'publickey'. Authentication that can continue:
> publickey,password,hostbased
> RES = 1
> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
> continue: publickey,password,hostbased
> </code>
>
> As you can see I try to load certificate with public key and then I
> provide private key. What I've got is
>
> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
> continue: publickey,password,hostbased
>
> At server side in /var/log/auth.log there is nothing to see other then
> disconnection.... I'll try to set debug to higher level.
>
> Some suggestion about the authentication error?
>
> Marco Bna'
>
> Il Mer 27 Ott 2021, 20:01 Jakub Jelen <jjelen@xxxxxxxxxx> ha scritto:
>
>> On 10/27/21 16:26, Marco wrote:
>> > Hi all and thanks for attention.
>> >
>> > I have some difficulties in authentication using certificate from C
>> > application using ssh to a server correctly configured, I think.
>> >
>> > I've generate a private and public key and signed the public with the
>> > certification authority private key to have -cert.pub with desired
>> > principals (principals are in /etc/ssh/auth_principals/%u at server
>> side)
>> >
>> > The server is configured to recognize the CA and has authentication
>> > principals
>> >
>> > Using ssh from shell I have no issue.
>> >
>> > With c application following tutorial and after setting session with
>> > username, ip, port, I try public key using cert file,it succeed, then I
>> > try to authenticate with private key but I have Access denied.
>>
>> AFAIK the OpenSSH (ssh from shell) automatically loads the existing
>> -cert.pub files when it founds them alongside of the private and public
>> key files. I am not sure if this functionality is implemented in libssh,
>> but from what you describe, it looks like the case.
>>
>> The certificate and public key authentication are both using the pubkey
>> authentication method, but they are using different "key type" (or
>> mechanism -- for example ssh-ed25519 or
>> ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of
>> the authentication packets (you should be able to see this difference in
>> debug mode of both server and clients).
>>
>> I think this works as expected from the protocol point of view. If you
>> think libssh should also try to find matching certificates and use them
>> for the authentication, contributions are welcomed:
>>
>> https://gitlab.com/libssh/libssh-mirror
>>
>> Hope it helps,
>> --
>> Jakub Jelen
>> Crypto Team, Security Engineering
>> Red Hat, Inc.
>>
>>
>>
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Re: Help request for authentication with certicates | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |