[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help request for authentication with certicates
[Thread Prev] | [Thread Next]
- Subject: Re: Help request for authentication with certicates
- From: Marco <bna.marco@xxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 28 Oct 2021 16:01:30 +0200
- To: libssh@xxxxxxxxxx
Some more considerations from server log of OpenSSH:
ssh -i priv root@<ip> -o CertificateFile priv-cert.pub
Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256:
mm_answer_keyallowed: publickey authentication test: ED25519-CERT key is
allowed
Postponed publickey for root from 10.10.70.100 port 50909 ssh2
userauth_pubkey: valid user root attempting public key ssh-ed25519
userauth_pubkey: have ssh-ed25519 signature for ED25519 SHA256:
trying public key file /etc/ssh/auth_keys/root
Could not open authorized keys '/etc/ssh/auth_keys/root': No such file or
directory
Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256: via
/etc/ssh/ca_user_key.pub
mm_answer_keyallowed: publickey authentication: ED25519-CERT key is allowed
mm_request_send entering: type 23
debug3: mm_sshkey_verify entering [preauth]
debug3: mm_request_send entering: type 24 [preauth]
debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect entering: type 25 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 24
debug3: mm_answer_keyverify: publickey 0x19c72a8 signature verified
debug1: auth_activate_options: setting new authentication options
debug3: mm_request_send entering: type 25
Mar 9 17:49:15 imx7-var-som auth.info sshd[4456]: Accepted publickey for
root from 10.10.70.100 port 49224 ssh2: ED25519-CERT SHA256: ID divo
(serial 0) CA ED25519 SHA256:
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug1:
monitor_child_preauth: root has been authenticated by privileged process
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
mm_get_keystate: Waiting for new keys
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
mm_request_receive_expect entering: type 26
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
mm_request_receive entering
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
mm_get_keystate: GOT new keys
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug1:
auth_activate_options: setting new authentication options [preauth]
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug2:
userauth_pubkey: authenticated 1 pkalg ssh-ed25519-cert-v01@xxxxxxxxxxx
[preauth]
Mar 9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
user_specific_delay: user specific delay 0.000ms [preauth]
Il giorno gio 28 ott 2021 alle ore 10:19 Marco <bna.marco@xxxxxxxxx> ha
scritto:
> At server side I have:
>
> Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256:
> mm_answer_keyallowed: publickey authentication test: ED25519-CERT key is
> allowed
> Postponed publickey for root from 10.10.70.100 port 50909 ssh2
> userauth_pubkey: valid user root attempting public key ssh-ed25519
> userauth_pubkey: have ssh-ed25519 signature for ED25519 SHA256:
> trying public key file /etc/ssh/auth_keys/root
> Could not open authorized keys '/etc/ssh/auth_keys/root': No such file or
> directory
> mm_answer_keyallowed: publickey authentication: ED25519 key is not allowed
> Failed publickey for root from 10.10.70.100 port 53113 ssh2: ED25519
> SHA256:
> userauth_finish: failure partial=0 next methods="publickey,password"
>
>
> Thanks in advance for any help!
>
> Marco
>
> Il giorno gio 28 ott 2021 alle ore 09:12 Marco <bna.marco@xxxxxxxxx> ha
> scritto:
>
>> Hi.
>> You are right. Libssh does not scan automatically for certificate or
>> public key.
>> While OpenSSH does it (or I can force certicate file using "-o
>> CertificateFile" if I remember correctly), with libssh I do this:
>>
>> <code>
>> #include <cstdlib>
>> #include <cstdio>
>> #include <iostream>
>> #include <iomanip>
>> #include <libssh/libssh.h>
>> #include <libssh/libsshpp.hpp>
>>
>> int main(int argc, char* argv[]) {
>> ssh::Session mySession;
>>
>> int port = 22;
>> int verbosity = SSH_LOG_TRACE;
>>
>> try {
>> mySession.setOption(ssh_options_e::SSH_OPTIONS_HOST, "10.10.70.2");
>> mySession.setOption(ssh_options_e::SSH_OPTIONS_PORT, &port);
>> mySession.setOption(ssh_options_e::SSH_OPTIONS_LOG_VERBOSITY,
>> &verbosity);
>> mySession.setOption(ssh_options_e::SSH_OPTIONS_USER, "root");
>>
>> mySession.connect();
>>
>> ssh_key certKey;
>> if (ssh_pki_import_cert_file("myFile-cert.pub", &certKey) ==
>> SSH_AUTH_SUCCESS) {
>> if (mySession.userauthTryPublickey(certKey) == SSH_OK) {
>> std::cout << "PUB IS OK --> PROVIDE PRIV" << std::endl;
>>
>> ssh_key privKey;
>> if (ssh_pki_import_privkey_file("myFile", "mypassword", NULL,
>> NULL, &privKey) == SSH_OK) {
>> std::cout << "PRIV KEY OK" << std::endl;
>>
>> int res = mySession.userauthPublickey(privKey);
>> if (res == SSH_AUTH_SUCCESS) {
>> std::cout << "Authenticated" << std::endl;
>> } else {
>> std::cout << "RES = " << res << std::endl;
>> std::cout << "!!!!! AUTH - " <<
>>
>> ssh_get_error_code(mySession.getCSession()) << ": " <<
>>
>> ssh_get_error(mySession.getCSession()) << std::endl;
>> }
>>
>> mySession.disconnect();
>>
>> ssh_key_free(certKey);
>> ssh_key_free(privKey);
>> } else {
>> std::cout << "!!!!! LOAD PRIV - " <<
>> ssh_get_error_code(mySession.getCSession()) << ":
>> " <<
>> ssh_get_error(mySession.getCSession()) <<
>> std::endl;
>> }
>> } else {
>> std::cout << "!!!!! TRY PUB - " <<
>> ssh_get_error_code(mySession.getCSession()) << ": "
>> <<
>> ssh_get_error(mySession.getCSession()) << std::endl;
>> }
>> } else {
>> std::cout << "!!!!! IMPORT CERT - " <<
>> ssh_get_error_code(mySession.getCSession()) << ": " <<
>> ssh_get_error(mySession.getCSession()) << std::endl;
>> }
>>
>>
>> } catch (ssh::SshException& sshExc) {
>> std::cout << "!!!!! EXC: " << sshExc.getCode() << ": " <<
>> sshExc.getError() << std::endl;
>> }
>>
>>
>> return EXIT_SUCCESS;
>> }
>> </code>
>>
>> <code>
>> [2021/10/28 09:08:42.447359, 3] ssh_config_parse_file: Reading
>> configuration data from /etc/ssh/ssh_config
>> [2021/10/28 09:08:42.449523, 2] ssh_config_parse_line: Unapplicable
>> option: SendEnv, line: 50
>> [2021/10/28 09:08:42.449664, 1] ssh_config_parse_line: Unsupported
>> option: HashKnownHosts, line: 51
>> [2021/10/28 09:08:42.449691, 2] ssh_connect: libssh 0.9.3 (c) 2003-2019
>> Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed
>> under the LGPL, please refer to COPYING file for information about your
>> rights, using threading threads_pthread
>> [2021/10/28 09:08:42.449702, 3] getai: host 10.10.70.2 matches an IP
>> address
>> [2021/10/28 09:08:42.449970, 2] ssh_socket_connect: Nonblocking
>> connection socket: 3
>> [2021/10/28 09:08:42.450030, 2] ssh_connect: Socket connecting, now
>> waiting for the callbacks to work
>> [2021/10/28 09:08:42.450044, 3] ssh_connect: Actual timeout : 10000
>> [2021/10/28 09:08:42.453983, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.454099, 3] ssh_socket_pollcallback: Received
>> POLLOUT in connecting state
>> [2021/10/28 09:08:42.454123, 1] socket_callback_connected: Socket
>> connection callback: 1 (0)
>> [2021/10/28 09:08:42.454330, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.454391, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.508991, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.509092, 3] callback_receive_banner: Received
>> banner: SSH-2.0-OpenSSH_8.2
>> [2021/10/28 09:08:42.509110, 2] ssh_client_connection_callback: SSH
>> server banner: SSH-2.0-OpenSSH_8.2
>> [2021/10/28 09:08:42.509121, 2] ssh_analyze_banner: Analyzing banner:
>> SSH-2.0-OpenSSH_8.2
>> [2021/10/28 09:08:42.509142, 2] ssh_analyze_banner: We are talking to an
>> OpenSSH client version: 8.2 (80200)
>> [2021/10/28 09:08:42.509334, 3] ssh_client_select_hostkeys: Order of
>> wanted host keys:
>> "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
>> [2021/10/28 09:08:42.512701, 3] ssh_client_select_hostkeys: Algorithms
>> found in known_hosts files: "ecdsa-sha2-nistp256"
>> [2021/10/28 09:08:42.512792, 3] ssh_client_select_hostkeys: Changing
>> host key method to
>> "ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
>> [2021/10/28 09:08:42.512851, 4] ssh_list_kex: kex algos:
>> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
>> [2021/10/28 09:08:42.512877, 4] ssh_list_kex: server host key algo:
>> ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
>> [2021/10/28 09:08:42.512889, 4] ssh_list_kex: encryption client->server:
>> aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
>> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>> [2021/10/28 09:08:42.512929, 4] ssh_list_kex: encryption server->client:
>> aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
>> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>> [2021/10/28 09:08:42.512942, 4] ssh_list_kex: mac algo client->server:
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>> [2021/10/28 09:08:42.512952, 4] ssh_list_kex: mac algo server->client:
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>> [2021/10/28 09:08:42.512961, 4] ssh_list_kex: compression algo
>> client->server: none
>> [2021/10/28 09:08:42.512970, 4] ssh_list_kex: compression algo
>> server->client: none
>> [2021/10/28 09:08:42.513010, 4] ssh_list_kex: languages client->server:
>> [2021/10/28 09:08:42.513023, 4] ssh_list_kex: languages server->client:
>> [2021/10/28 09:08:42.513145, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.513199, 3] packet_send2: packet: wrote [type=20,
>> len=940, padding_size=4, comp=935, payload=935]
>> [2021/10/28 09:08:42.513212, 3] ssh_send_kex: SSH_MSG_KEXINIT sent
>> [2021/10/28 09:08:42.513229, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.513238, 4] ssh_socket_pollcallback: sending control
>> flow event
>> [2021/10/28 09:08:42.513248, 4] ssh_packet_socket_controlflow_callback:
>> sending channel_write_wontblock callback
>> [2021/10/28 09:08:42.514538, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.514643, 3] ssh_packet_socket_callback: packet: read
>> type 20 [len=996,padding=9,comp=986,payload=986]
>> [2021/10/28 09:08:42.514663, 3] ssh_packet_process: Dispatching handler
>> for packet type 20
>> [2021/10/28 09:08:42.514684, 4] ssh_list_kex: kex algos:
>> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
>> [2021/10/28 09:08:42.514761, 4] ssh_list_kex: server host key algo:
>> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx
>> [2021/10/28 09:08:42.514784, 4] ssh_list_kex: encryption client->server:
>> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
>> aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
>> [2021/10/28 09:08:42.514800, 4] ssh_list_kex: encryption server->client:
>> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,
>> aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
>> [2021/10/28 09:08:42.514817, 4] ssh_list_kex: mac algo client->server:
>> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
>> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>> [2021/10/28 09:08:42.514874, 4] ssh_list_kex: mac algo server->client:
>> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
>> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>> [2021/10/28 09:08:42.514893, 4] ssh_list_kex: compression algo
>> client->server: none
>> [2021/10/28 09:08:42.514900, 4] ssh_list_kex: compression algo
>> server->client: none
>> [2021/10/28 09:08:42.514909, 4] ssh_list_kex: languages client->server:
>> [2021/10/28 09:08:42.514973, 4] ssh_list_kex: languages server->client:
>> [2021/10/28 09:08:42.515048, 2] ssh_kex_select_methods: Negotiated
>> curve25519-sha256,ssh-ed25519,aes256-gcm@xxxxxxxxxxx,
>> aes256-gcm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,
>> hmac-sha2-256-etm@xxxxxxxxxxx,none,none,,
>> [2021/10/28 09:08:42.515917, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.516506, 3] packet_send2: packet: wrote [type=30,
>> len=44, padding_size=6, comp=37, payload=37]
>> [2021/10/28 09:08:42.516551, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.516652, 4] ssh_socket_pollcallback: sending control
>> flow event
>> [2021/10/28 09:08:42.516671, 4] ssh_packet_socket_controlflow_callback:
>> sending channel_write_wontblock callback
>> [2021/10/28 09:08:42.573762, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.573901, 3] ssh_packet_socket_callback: packet: read
>> type 31 [len=188,padding=8,comp=179,payload=179]
>> [2021/10/28 09:08:42.573927, 3] ssh_packet_process: Dispatching handler
>> for packet type 31
>> [2021/10/28 09:08:42.574199, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.574264, 3] packet_send2: packet: wrote [type=21,
>> len=12, padding_size=10, comp=1, payload=1]
>> [2021/10/28 09:08:42.574282, 4] ssh_packet_set_newkeys: called,
>> direction = OUT
>> [2021/10/28 09:08:42.574487, 3] crypt_set_algorithms2: Set output
>> algorithm to aes256-gcm@xxxxxxxxxxx
>> [2021/10/28 09:08:42.574561, 3] crypt_set_algorithms2: Set HMAC output
>> algorithm to aead-gcm
>> [2021/10/28 09:08:42.574580, 3] crypt_set_algorithms2: Set input
>> algorithm to aes256-gcm@xxxxxxxxxxx
>> [2021/10/28 09:08:42.574593, 3] crypt_set_algorithms2: Set HMAC input
>> algorithm to aead-gcm
>> [2021/10/28 09:08:42.574620, 2] ssh_init_rekey_state: Set rekey after
>> 4294967296 blocks
>> [2021/10/28 09:08:42.574687, 2] ssh_init_rekey_state: Set rekey after
>> 4294967296 blocks
>> [2021/10/28 09:08:42.574714, 2] ssh_packet_client_curve25519_reply:
>> SSH_MSG_NEWKEYS sent
>> [2021/10/28 09:08:42.574728, 3] ssh_packet_socket_callback: Processing
>> 244 bytes left in socket buffer
>> [2021/10/28 09:08:42.574741, 3] ssh_packet_socket_callback: packet: read
>> type 21 [len=12,padding=10,comp=1,payload=1]
>> [2021/10/28 09:08:42.574755, 3] ssh_packet_process: Dispatching handler
>> for packet type 21
>> [2021/10/28 09:08:42.574764, 2] ssh_packet_newkeys: Received
>> SSH_MSG_NEWKEYS
>> [2021/10/28 09:08:42.574781, 4] ssh_pki_signature_verify: Going to
>> verify a ssh-ed25519 type signature
>> [2021/10/28 09:08:42.575037, 4] pki_verify_data_signature: Signature
>> valid
>> [2021/10/28 09:08:42.575092, 2] ssh_packet_newkeys: Signature verified
>> and valid
>> [2021/10/28 09:08:42.575104, 4] ssh_packet_set_newkeys: called,
>> direction = IN
>> [2021/10/28 09:08:42.575114, 3] ssh_packet_socket_callback: Processing
>> 228 bytes left in socket buffer
>> [2021/10/28 09:08:42.575129, 3] ssh_packet_socket_callback: packet: read
>> type 7 [len=208,padding=4,comp=203,payload=203]
>> [2021/10/28 09:08:42.575140, 3] ssh_packet_process: Dispatching handler
>> for packet type 7
>> [2021/10/28 09:08:42.575149, 3] ssh_packet_ext_info: Received
>> SSH_MSG_EXT_INFO
>> [2021/10/28 09:08:42.575158, 3] ssh_packet_ext_info: Follows 1 extensions
>> [2021/10/28 09:08:42.575168, 3] ssh_packet_ext_info: Extension:
>> server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@xxxxxxxxxxx
>> ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
>> sk-ecdsa-sha2-nistp256@xxxxxxxxxxx>
>> [2021/10/28 09:08:42.575212, 3] ssh_connect: current state : 7
>> [2021/10/28 09:08:42.577743, 3] ssh_key_algorithm_allowed: Checking
>> ssh-ed25519-cert-v01@xxxxxxxxxxx with list <
>> ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx
>> ,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
>> rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,
>> ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx
>> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
>> [2021/10/28 09:08:42.577862, 3] packet_send2: packet: wrote [type=5,
>> len=32, padding_size=14, comp=17, payload=17]
>> [2021/10/28 09:08:42.577883, 3] ssh_service_request: Sent
>> SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
>> [2021/10/28 09:08:42.577902, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 52
>> [2021/10/28 09:08:42.578031, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.578102, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.578117, 4] ssh_socket_pollcallback: sending control
>> flow event
>> [2021/10/28 09:08:42.578126, 4] ssh_packet_socket_controlflow_callback:
>> sending channel_write_wontblock callback
>> [2021/10/28 09:08:42.579018, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.579115, 3] ssh_packet_socket_callback: packet: read
>> type 6 [len=32,padding=14,comp=17,payload=17]
>> [2021/10/28 09:08:42.579138, 3] ssh_packet_process: Dispatching handler
>> for packet type 6
>> [2021/10/28 09:08:42.579152, 3] ssh_packet_service_accept: Received
>> SSH_MSG_SERVICE_ACCEPT
>> [2021/10/28 09:08:42.579283, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.579353, 3] packet_send2: packet: wrote [type=50,
>> len=528, padding_size=6, comp=521, payload=521]
>> [2021/10/28 09:08:42.579376, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.579389, 4] ssh_socket_pollcallback: sending control
>> flow event
>> [2021/10/28 09:08:42.579402, 4] ssh_packet_socket_controlflow_callback:
>> sending channel_write_wontblock callback
>> [2021/10/28 09:08:42.656812, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.656908, 3] ssh_packet_socket_callback: packet: read
>> type 60 [len=496,padding=14,comp=481,payload=481]
>> [2021/10/28 09:08:42.656928, 3] ssh_packet_process: Dispatching handler
>> for packet type 60
>> [2021/10/28 09:08:42.656941, 4] ssh_packet_userauth_pk_ok: Received
>> SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE
>> [2021/10/28 09:08:42.656992, 4] ssh_packet_userauth_pk_ok: Assuming
>> SSH_USERAUTH_PK_OK
>> PUB IS OK --> PROVIDE PRIV
>> [2021/10/28 09:08:42.659075, 2] ssh_pki_import_privkey_base64: Trying to
>> decode privkey passphrase=true
>> [2021/10/28 09:08:42.659222, 2] ssh_pki_openssh_import: Opening OpenSSH
>> private key: ciphername: aes256-ctr, kdf: bcrypt, nkeys: 1
>> [2021/10/28 09:08:42.659301, 3] pki_private_key_decrypt: Decryption: 32
>> key, 16 IV, 16 rounds, 16 bytes salt
>> PRIV KEY OK
>> [2021/10/28 09:08:42.825385, 3] ssh_key_algorithm_allowed: Checking
>> ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
>> rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,
>> ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx
>> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
>> [2021/10/28 09:08:42.825710, 3] ssh_socket_unbuffered_write: Enabling
>> POLLOUT for socket
>> [2021/10/28 09:08:42.825779, 3] packet_send2: packet: wrote [type=50,
>> len=208, padding_size=9, comp=198, payload=198]
>> [2021/10/28 09:08:42.825803, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLOUT ), out buffer 0
>> [2021/10/28 09:08:42.825819, 4] ssh_socket_pollcallback: sending control
>> flow event
>> [2021/10/28 09:08:42.825835, 4] ssh_packet_socket_controlflow_callback:
>> sending channel_write_wontblock callback
>> [2021/10/28 09:08:42.832362, 4] ssh_socket_pollcallback: Poll callback
>> on socket 3 (POLLIN ), out buffer 0
>> [2021/10/28 09:08:42.832464, 3] ssh_packet_socket_callback: packet: read
>> type 51 [len=48,padding=13,comp=34,payload=34]
>> [2021/10/28 09:08:42.832482, 3] ssh_packet_process: Dispatching handler
>> for packet type 51
>> [2021/10/28 09:08:42.832528, 1] ssh_packet_userauth_failure: Access
>> denied for 'publickey'. Authentication that can continue:
>> publickey,password,hostbased
>> [2021/10/28 09:08:42.832576, 2] ssh_packet_userauth_failure: Access
>> denied for 'publickey'. Authentication that can continue:
>> publickey,password,hostbased
>> RES = 1
>> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
>> continue: publickey,password,hostbased
>> </code>
>>
>> As you can see I try to load certificate with public key and then I
>> provide private key. What I've got is
>>
>> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
>> continue: publickey,password,hostbased
>>
>> At server side in /var/log/auth.log there is nothing to see other then
>> disconnection.... I'll try to set debug to higher level.
>>
>> Some suggestion about the authentication error?
>>
>> Marco Bna'
>>
>> Il Mer 27 Ott 2021, 20:01 Jakub Jelen <jjelen@xxxxxxxxxx> ha scritto:
>>
>>> On 10/27/21 16:26, Marco wrote:
>>> > Hi all and thanks for attention.
>>> >
>>> > I have some difficulties in authentication using certificate from C
>>> > application using ssh to a server correctly configured, I think.
>>> >
>>> > I've generate a private and public key and signed the public with the
>>> > certification authority private key to have -cert.pub with desired
>>> > principals (principals are in /etc/ssh/auth_principals/%u at server
>>> side)
>>> >
>>> > The server is configured to recognize the CA and has authentication
>>> > principals
>>> >
>>> > Using ssh from shell I have no issue.
>>> >
>>> > With c application following tutorial and after setting session with
>>> > username, ip, port, I try public key using cert file,it succeed, then
>>> I
>>> > try to authenticate with private key but I have Access denied.
>>>
>>> AFAIK the OpenSSH (ssh from shell) automatically loads the existing
>>> -cert.pub files when it founds them alongside of the private and public
>>> key files. I am not sure if this functionality is implemented in libssh,
>>> but from what you describe, it looks like the case.
>>>
>>> The certificate and public key authentication are both using the pubkey
>>> authentication method, but they are using different "key type" (or
>>> mechanism -- for example ssh-ed25519 or
>>> ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of
>>> the authentication packets (you should be able to see this difference in
>>> debug mode of both server and clients).
>>>
>>> I think this works as expected from the protocol point of view. If you
>>> think libssh should also try to find matching certificates and use them
>>> for the authentication, contributions are welcomed:
>>>
>>> https://gitlab.com/libssh/libssh-mirror
>>>
>>> Hope it helps,
>>> --
>>> Jakub Jelen
>>> Crypto Team, Security Engineering
>>> Red Hat, Inc.
>>>
>>>
>>>
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Re: Help request for authentication with certicates | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |
| Re: Help request for authentication with certicates | Marco <bna.marco@xxxxxxxxx> |