[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help request for authentication with certicates

Subject: Re: Help request for authentication with certicates
From: Marco <bna.marco@xxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Thu, 28 Oct 2021 16:24:14 +0200
To: libssh@xxxxxxxxxx
SOLVED THANKS TO THAT

https://archive.libssh.org/libssh/2021-05/0000002.html

Best Regards


Il giorno gio 28 ott 2021 alle ore 16:01 Marco <bna.marco@xxxxxxxxx> ha
scritto:

> Some more considerations from server log of OpenSSH:
>
> ssh -i priv root@<ip> -o CertificateFile priv-cert.pub
>
> Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256:
> mm_answer_keyallowed: publickey authentication test: ED25519-CERT key is
> allowed
> Postponed publickey for root from 10.10.70.100 port 50909 ssh2
> userauth_pubkey: valid user root attempting public key ssh-ed25519
> userauth_pubkey: have ssh-ed25519 signature for ED25519 SHA256:
> trying public key file /etc/ssh/auth_keys/root
> Could not open authorized keys '/etc/ssh/auth_keys/root': No such file or
> directory
> Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256: via
> /etc/ssh/ca_user_key.pub
> mm_answer_keyallowed: publickey authentication: ED25519-CERT key is allowed
> mm_request_send entering: type 23
> debug3: mm_sshkey_verify entering [preauth]
> debug3: mm_request_send entering: type 24 [preauth]
> debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
> debug3: mm_request_receive_expect entering: type 25 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 24
> debug3: mm_answer_keyverify: publickey 0x19c72a8 signature verified
> debug1: auth_activate_options: setting new authentication options
> debug3: mm_request_send entering: type 25
> Mar  9 17:49:15 imx7-var-som auth.info sshd[4456]: Accepted publickey for
> root from 10.10.70.100 port 49224 ssh2: ED25519-CERT SHA256: ID divo
> (serial 0) CA ED25519 SHA256:
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug1:
> monitor_child_preauth: root has been authenticated by privileged process
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
> mm_get_keystate: Waiting for new keys
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
> mm_request_receive_expect entering: type 26
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
> mm_request_receive entering
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
> mm_get_keystate: GOT new keys
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug1:
> auth_activate_options: setting new authentication options [preauth]
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug2:
> userauth_pubkey: authenticated 1 pkalg ssh-ed25519-cert-v01@xxxxxxxxxxx
> [preauth]
> Mar  9 17:49:15 imx7-var-som auth.debug sshd[4456]: debug3:
> user_specific_delay: user specific delay 0.000ms [preauth]
>
>
>
> Il giorno gio 28 ott 2021 alle ore 10:19 Marco <bna.marco@xxxxxxxxx> ha
> scritto:
>
>> At server side I have:
>>
>> Accepted certificate ID "divo" (serial 0) signed by ED25519 CA SHA256:
>> mm_answer_keyallowed: publickey authentication test: ED25519-CERT key is
>> allowed
>> Postponed publickey for root from 10.10.70.100 port 50909 ssh2
>> userauth_pubkey: valid user root attempting public key ssh-ed25519
>> userauth_pubkey: have ssh-ed25519 signature for ED25519 SHA256:
>> trying public key file /etc/ssh/auth_keys/root
>> Could not open authorized keys '/etc/ssh/auth_keys/root': No such file or
>> directory
>> mm_answer_keyallowed: publickey authentication: ED25519 key is not allowed
>> Failed publickey for root from 10.10.70.100 port 53113 ssh2: ED25519
>> SHA256:
>> userauth_finish: failure partial=0 next methods="publickey,password"
>>
>>
>> Thanks in advance for any help!
>>
>> Marco
>>
>> Il giorno gio 28 ott 2021 alle ore 09:12 Marco <bna.marco@xxxxxxxxx> ha
>> scritto:
>>
>>> Hi.
>>> You are right. Libssh does not scan automatically for certificate or
>>> public key.
>>> While OpenSSH does it (or I can force certicate file using "-o
>>> CertificateFile" if I remember correctly), with libssh I do this:
>>>
>>> <code>
>>> #include <cstdlib>
>>> #include <cstdio>
>>> #include <iostream>
>>> #include <iomanip>
>>> #include <libssh/libssh.h>
>>> #include <libssh/libsshpp.hpp>
>>>
>>> int main(int argc, char* argv[]) {
>>>   ssh::Session mySession;
>>>
>>>   int port = 22;
>>>   int verbosity = SSH_LOG_TRACE;
>>>
>>>   try {
>>>     mySession.setOption(ssh_options_e::SSH_OPTIONS_HOST, "10.10.70.2");
>>>     mySession.setOption(ssh_options_e::SSH_OPTIONS_PORT, &port);
>>>     mySession.setOption(ssh_options_e::SSH_OPTIONS_LOG_VERBOSITY,
>>> &verbosity);
>>>     mySession.setOption(ssh_options_e::SSH_OPTIONS_USER, "root");
>>>
>>>     mySession.connect();
>>>
>>>     ssh_key certKey;
>>>     if (ssh_pki_import_cert_file("myFile-cert.pub", &certKey) ==
>>> SSH_AUTH_SUCCESS) {
>>>          if (mySession.userauthTryPublickey(certKey) == SSH_OK) {
>>>            std::cout << "PUB IS OK --> PROVIDE PRIV" << std::endl;
>>>
>>>            ssh_key privKey;
>>>            if (ssh_pki_import_privkey_file("myFile", "mypassword", NULL,
>>> NULL, &privKey) == SSH_OK) {
>>>              std::cout << "PRIV KEY OK" << std::endl;
>>>
>>>              int res = mySession.userauthPublickey(privKey);
>>>              if (res == SSH_AUTH_SUCCESS) {
>>>                std::cout << "Authenticated" << std::endl;
>>>              } else {
>>>                std::cout << "RES = " << res << std::endl;
>>>                std::cout << "!!!!! AUTH - " <<
>>>
>>> ssh_get_error_code(mySession.getCSession()) << ": " <<
>>>
>>> ssh_get_error(mySession.getCSession()) << std::endl;
>>>              }
>>>
>>>              mySession.disconnect();
>>>
>>>              ssh_key_free(certKey);
>>>              ssh_key_free(privKey);
>>>            } else {
>>>              std::cout << "!!!!! LOAD PRIV - " <<
>>>                        ssh_get_error_code(mySession.getCSession()) << ":
>>> " <<
>>>                        ssh_get_error(mySession.getCSession()) <<
>>> std::endl;
>>>            }
>>>          } else {
>>>            std::cout << "!!!!! TRY PUB - " <<
>>>                      ssh_get_error_code(mySession.getCSession()) << ": "
>>> <<
>>>                      ssh_get_error(mySession.getCSession()) << std::endl;
>>>          }
>>>     } else {
>>>       std::cout << "!!!!! IMPORT CERT - " <<
>>>           ssh_get_error_code(mySession.getCSession()) << ": " <<
>>>           ssh_get_error(mySession.getCSession()) << std::endl;
>>>     }
>>>
>>>
>>>   } catch (ssh::SshException& sshExc) {
>>>      std::cout << "!!!!! EXC: " << sshExc.getCode() << ": " <<
>>> sshExc.getError() << std::endl;
>>>   }
>>>
>>>
>>>   return EXIT_SUCCESS;
>>> }
>>> </code>
>>>
>>> <code>
>>> [2021/10/28 09:08:42.447359, 3] ssh_config_parse_file:  Reading
>>> configuration data from /etc/ssh/ssh_config
>>> [2021/10/28 09:08:42.449523, 2] ssh_config_parse_line:  Unapplicable
>>> option: SendEnv, line: 50
>>> [2021/10/28 09:08:42.449664, 1] ssh_config_parse_line:  Unsupported
>>> option: HashKnownHosts, line: 51
>>> [2021/10/28 09:08:42.449691, 2] ssh_connect:  libssh 0.9.3 (c) 2003-2019
>>> Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed
>>> under the LGPL, please refer to COPYING file for information about your
>>> rights, using threading threads_pthread
>>> [2021/10/28 09:08:42.449702, 3] getai:  host 10.10.70.2 matches an IP
>>> address
>>> [2021/10/28 09:08:42.449970, 2] ssh_socket_connect:  Nonblocking
>>> connection socket: 3
>>> [2021/10/28 09:08:42.450030, 2] ssh_connect:  Socket connecting, now
>>> waiting for the callbacks to work
>>> [2021/10/28 09:08:42.450044, 3] ssh_connect:  Actual timeout : 10000
>>> [2021/10/28 09:08:42.453983, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.454099, 3] ssh_socket_pollcallback:  Received
>>> POLLOUT in connecting state
>>> [2021/10/28 09:08:42.454123, 1] socket_callback_connected:  Socket
>>> connection callback: 1 (0)
>>> [2021/10/28 09:08:42.454330, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.454391, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.508991, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.509092, 3] callback_receive_banner:  Received
>>> banner: SSH-2.0-OpenSSH_8.2
>>> [2021/10/28 09:08:42.509110, 2] ssh_client_connection_callback:  SSH
>>> server banner: SSH-2.0-OpenSSH_8.2
>>> [2021/10/28 09:08:42.509121, 2] ssh_analyze_banner:  Analyzing banner:
>>> SSH-2.0-OpenSSH_8.2
>>> [2021/10/28 09:08:42.509142, 2] ssh_analyze_banner:  We are talking to
>>> an OpenSSH client version: 8.2 (80200)
>>> [2021/10/28 09:08:42.509334, 3] ssh_client_select_hostkeys:  Order of
>>> wanted host keys:
>>> "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
>>> [2021/10/28 09:08:42.512701, 3] ssh_client_select_hostkeys:  Algorithms
>>> found in known_hosts files: "ecdsa-sha2-nistp256"
>>> [2021/10/28 09:08:42.512792, 3] ssh_client_select_hostkeys:  Changing
>>> host key method to
>>> "ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"
>>> [2021/10/28 09:08:42.512851, 4] ssh_list_kex:  kex algos:
>>> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
>>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
>>> [2021/10/28 09:08:42.512877, 4] ssh_list_kex:  server host key algo:
>>> ecdsa-sha2-nistp256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
>>> [2021/10/28 09:08:42.512889, 4] ssh_list_kex:  encryption
>>> client->server: aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
>>> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>>> [2021/10/28 09:08:42.512929, 4] ssh_list_kex:  encryption
>>> server->client: aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx
>>> ,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
>>> [2021/10/28 09:08:42.512942, 4] ssh_list_kex:  mac algo client->server:
>>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>>> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>> [2021/10/28 09:08:42.512952, 4] ssh_list_kex:  mac algo server->client:
>>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>>> hmac-sha1-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>> [2021/10/28 09:08:42.512961, 4] ssh_list_kex:  compression algo
>>> client->server: none
>>> [2021/10/28 09:08:42.512970, 4] ssh_list_kex:  compression algo
>>> server->client: none
>>> [2021/10/28 09:08:42.513010, 4] ssh_list_kex:  languages client->server:
>>> [2021/10/28 09:08:42.513023, 4] ssh_list_kex:  languages server->client:
>>> [2021/10/28 09:08:42.513145, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.513199, 3] packet_send2:  packet: wrote [type=20,
>>> len=940, padding_size=4, comp=935, payload=935]
>>> [2021/10/28 09:08:42.513212, 3] ssh_send_kex:  SSH_MSG_KEXINIT sent
>>> [2021/10/28 09:08:42.513229, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.513238, 4] ssh_socket_pollcallback:  sending
>>> control flow event
>>> [2021/10/28 09:08:42.513248, 4] ssh_packet_socket_controlflow_callback:
>>>  sending channel_write_wontblock callback
>>> [2021/10/28 09:08:42.514538, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.514643, 3] ssh_packet_socket_callback:  packet:
>>> read type 20 [len=996,padding=9,comp=986,payload=986]
>>> [2021/10/28 09:08:42.514663, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 20
>>> [2021/10/28 09:08:42.514684, 4] ssh_list_kex:  kex algos:
>>> curve25519-sha256,curve25519-sha256@xxxxxxxxxx
>>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
>>> [2021/10/28 09:08:42.514761, 4] ssh_list_kex:  server host key algo:
>>> ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx
>>> [2021/10/28 09:08:42.514784, 4] ssh_list_kex:  encryption
>>> client->server: chacha20-poly1305@xxxxxxxxxxx
>>> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,
>>> aes256-gcm@xxxxxxxxxxx
>>> [2021/10/28 09:08:42.514800, 4] ssh_list_kex:  encryption
>>> server->client: chacha20-poly1305@xxxxxxxxxxx
>>> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,
>>> aes256-gcm@xxxxxxxxxxx
>>> [2021/10/28 09:08:42.514817, 4] ssh_list_kex:  mac algo client->server:
>>> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
>>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>>> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
>>> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>> [2021/10/28 09:08:42.514874, 4] ssh_list_kex:  mac algo server->client:
>>> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,
>>> hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,
>>> hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx
>>> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>> [2021/10/28 09:08:42.514893, 4] ssh_list_kex:  compression algo
>>> client->server: none
>>> [2021/10/28 09:08:42.514900, 4] ssh_list_kex:  compression algo
>>> server->client: none
>>> [2021/10/28 09:08:42.514909, 4] ssh_list_kex:  languages client->server:
>>> [2021/10/28 09:08:42.514973, 4] ssh_list_kex:  languages server->client:
>>> [2021/10/28 09:08:42.515048, 2] ssh_kex_select_methods:  Negotiated
>>> curve25519-sha256,ssh-ed25519,aes256-gcm@xxxxxxxxxxx,
>>> aes256-gcm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,
>>> hmac-sha2-256-etm@xxxxxxxxxxx,none,none,,
>>> [2021/10/28 09:08:42.515917, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.516506, 3] packet_send2:  packet: wrote [type=30,
>>> len=44, padding_size=6, comp=37, payload=37]
>>> [2021/10/28 09:08:42.516551, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.516652, 4] ssh_socket_pollcallback:  sending
>>> control flow event
>>> [2021/10/28 09:08:42.516671, 4] ssh_packet_socket_controlflow_callback:
>>>  sending channel_write_wontblock callback
>>> [2021/10/28 09:08:42.573762, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.573901, 3] ssh_packet_socket_callback:  packet:
>>> read type 31 [len=188,padding=8,comp=179,payload=179]
>>> [2021/10/28 09:08:42.573927, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 31
>>> [2021/10/28 09:08:42.574199, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.574264, 3] packet_send2:  packet: wrote [type=21,
>>> len=12, padding_size=10, comp=1, payload=1]
>>> [2021/10/28 09:08:42.574282, 4] ssh_packet_set_newkeys:  called,
>>> direction = OUT
>>> [2021/10/28 09:08:42.574487, 3] crypt_set_algorithms2:  Set output
>>> algorithm to aes256-gcm@xxxxxxxxxxx
>>> [2021/10/28 09:08:42.574561, 3] crypt_set_algorithms2:  Set HMAC output
>>> algorithm to aead-gcm
>>> [2021/10/28 09:08:42.574580, 3] crypt_set_algorithms2:  Set input
>>> algorithm to aes256-gcm@xxxxxxxxxxx
>>> [2021/10/28 09:08:42.574593, 3] crypt_set_algorithms2:  Set HMAC input
>>> algorithm to aead-gcm
>>> [2021/10/28 09:08:42.574620, 2] ssh_init_rekey_state:  Set rekey after
>>> 4294967296 blocks
>>> [2021/10/28 09:08:42.574687, 2] ssh_init_rekey_state:  Set rekey after
>>> 4294967296 blocks
>>> [2021/10/28 09:08:42.574714, 2] ssh_packet_client_curve25519_reply:
>>>  SSH_MSG_NEWKEYS sent
>>> [2021/10/28 09:08:42.574728, 3] ssh_packet_socket_callback:  Processing
>>> 244 bytes left in socket buffer
>>> [2021/10/28 09:08:42.574741, 3] ssh_packet_socket_callback:  packet:
>>> read type 21 [len=12,padding=10,comp=1,payload=1]
>>> [2021/10/28 09:08:42.574755, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 21
>>> [2021/10/28 09:08:42.574764, 2] ssh_packet_newkeys:  Received
>>> SSH_MSG_NEWKEYS
>>> [2021/10/28 09:08:42.574781, 4] ssh_pki_signature_verify:  Going to
>>> verify a ssh-ed25519 type signature
>>> [2021/10/28 09:08:42.575037, 4] pki_verify_data_signature:  Signature
>>> valid
>>> [2021/10/28 09:08:42.575092, 2] ssh_packet_newkeys:  Signature verified
>>> and valid
>>> [2021/10/28 09:08:42.575104, 4] ssh_packet_set_newkeys:  called,
>>> direction = IN
>>> [2021/10/28 09:08:42.575114, 3] ssh_packet_socket_callback:  Processing
>>> 228 bytes left in socket buffer
>>> [2021/10/28 09:08:42.575129, 3] ssh_packet_socket_callback:  packet:
>>> read type 7 [len=208,padding=4,comp=203,payload=203]
>>> [2021/10/28 09:08:42.575140, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 7
>>> [2021/10/28 09:08:42.575149, 3] ssh_packet_ext_info:  Received
>>> SSH_MSG_EXT_INFO
>>> [2021/10/28 09:08:42.575158, 3] ssh_packet_ext_info:  Follows 1
>>> extensions
>>> [2021/10/28 09:08:42.575168, 3] ssh_packet_ext_info:  Extension:
>>> server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@xxxxxxxxxxx
>>> ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
>>> sk-ecdsa-sha2-nistp256@xxxxxxxxxxx>
>>> [2021/10/28 09:08:42.575212, 3] ssh_connect:  current state : 7
>>> [2021/10/28 09:08:42.577743, 3] ssh_key_algorithm_allowed:  Checking
>>> ssh-ed25519-cert-v01@xxxxxxxxxxx with list <
>>> ssh-ed25519-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
>>> rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,
>>> ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx
>>> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
>>> [2021/10/28 09:08:42.577862, 3] packet_send2:  packet: wrote [type=5,
>>> len=32, padding_size=14, comp=17, payload=17]
>>> [2021/10/28 09:08:42.577883, 3] ssh_service_request:  Sent
>>> SSH_MSG_SERVICE_REQUEST (service ssh-userauth)
>>> [2021/10/28 09:08:42.577902, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 52
>>> [2021/10/28 09:08:42.578031, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.578102, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.578117, 4] ssh_socket_pollcallback:  sending
>>> control flow event
>>> [2021/10/28 09:08:42.578126, 4] ssh_packet_socket_controlflow_callback:
>>>  sending channel_write_wontblock callback
>>> [2021/10/28 09:08:42.579018, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.579115, 3] ssh_packet_socket_callback:  packet:
>>> read type 6 [len=32,padding=14,comp=17,payload=17]
>>> [2021/10/28 09:08:42.579138, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 6
>>> [2021/10/28 09:08:42.579152, 3] ssh_packet_service_accept:  Received
>>> SSH_MSG_SERVICE_ACCEPT
>>> [2021/10/28 09:08:42.579283, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.579353, 3] packet_send2:  packet: wrote [type=50,
>>> len=528, padding_size=6, comp=521, payload=521]
>>> [2021/10/28 09:08:42.579376, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.579389, 4] ssh_socket_pollcallback:  sending
>>> control flow event
>>> [2021/10/28 09:08:42.579402, 4] ssh_packet_socket_controlflow_callback:
>>>  sending channel_write_wontblock callback
>>> [2021/10/28 09:08:42.656812, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.656908, 3] ssh_packet_socket_callback:  packet:
>>> read type 60 [len=496,padding=14,comp=481,payload=481]
>>> [2021/10/28 09:08:42.656928, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 60
>>> [2021/10/28 09:08:42.656941, 4] ssh_packet_userauth_pk_ok:  Received
>>> SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE
>>> [2021/10/28 09:08:42.656992, 4] ssh_packet_userauth_pk_ok:  Assuming
>>> SSH_USERAUTH_PK_OK
>>> PUB IS OK --> PROVIDE PRIV
>>> [2021/10/28 09:08:42.659075, 2] ssh_pki_import_privkey_base64:  Trying
>>> to decode privkey passphrase=true
>>> [2021/10/28 09:08:42.659222, 2] ssh_pki_openssh_import:  Opening OpenSSH
>>> private key: ciphername: aes256-ctr, kdf: bcrypt, nkeys: 1
>>> [2021/10/28 09:08:42.659301, 3] pki_private_key_decrypt:  Decryption: 32
>>> key, 16 IV, 16 rounds, 16 bytes salt
>>> PRIV KEY OK
>>> [2021/10/28 09:08:42.825385, 3] ssh_key_algorithm_allowed:  Checking
>>> ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
>>> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
>>> rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,
>>> ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx
>>> ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
>>> [2021/10/28 09:08:42.825710, 3] ssh_socket_unbuffered_write:  Enabling
>>> POLLOUT for socket
>>> [2021/10/28 09:08:42.825779, 3] packet_send2:  packet: wrote [type=50,
>>> len=208, padding_size=9, comp=198, payload=198]
>>> [2021/10/28 09:08:42.825803, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLOUT ), out buffer 0
>>> [2021/10/28 09:08:42.825819, 4] ssh_socket_pollcallback:  sending
>>> control flow event
>>> [2021/10/28 09:08:42.825835, 4] ssh_packet_socket_controlflow_callback:
>>>  sending channel_write_wontblock callback
>>> [2021/10/28 09:08:42.832362, 4] ssh_socket_pollcallback:  Poll callback
>>> on socket 3 (POLLIN ), out buffer 0
>>> [2021/10/28 09:08:42.832464, 3] ssh_packet_socket_callback:  packet:
>>> read type 51 [len=48,padding=13,comp=34,payload=34]
>>> [2021/10/28 09:08:42.832482, 3] ssh_packet_process:  Dispatching handler
>>> for packet type 51
>>> [2021/10/28 09:08:42.832528, 1] ssh_packet_userauth_failure:  Access
>>> denied for 'publickey'. Authentication that can continue:
>>> publickey,password,hostbased
>>> [2021/10/28 09:08:42.832576, 2] ssh_packet_userauth_failure:  Access
>>> denied for 'publickey'. Authentication that can continue:
>>> publickey,password,hostbased
>>> RES = 1
>>> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
>>> continue: publickey,password,hostbased
>>> </code>
>>>
>>> As you can see I try to load certificate with public key and then I
>>> provide private key. What I've got is
>>>
>>> !!!!! AUTH - 1: Access denied for 'publickey'. Authentication that can
>>> continue: publickey,password,hostbased
>>>
>>> At server side in /var/log/auth.log there is nothing to see other then
>>> disconnection.... I'll try to set debug to higher level.
>>>
>>> Some suggestion about the authentication error?
>>>
>>> Marco Bna'
>>>
>>> Il Mer 27 Ott 2021, 20:01 Jakub Jelen <jjelen@xxxxxxxxxx> ha scritto:
>>>
>>>> On 10/27/21 16:26, Marco wrote:
>>>> > Hi all and thanks for attention.
>>>> >
>>>> > I have some difficulties in authentication using certificate from C
>>>> > application using ssh to a server correctly configured, I think.
>>>> >
>>>> > I've generate a private and public key and signed the public with the
>>>> > certification authority private key to have -cert.pub with desired
>>>> > principals (principals are in /etc/ssh/auth_principals/%u at server
>>>> side)
>>>> >
>>>> > The server is configured to recognize the CA and has authentication
>>>> > principals
>>>> >
>>>> > Using ssh from shell I have no issue.
>>>> >
>>>> > With c application following tutorial and after setting session with
>>>> > username, ip, port, I try public key using cert file,it succeed, then
>>>> I
>>>> > try to authenticate with private key but I have Access denied.
>>>>
>>>> AFAIK the OpenSSH (ssh from shell) automatically loads the existing
>>>> -cert.pub files when it founds them alongside of the private and public
>>>> key files. I am not sure if this functionality is implemented in
>>>> libssh,
>>>> but from what you describe, it looks like the case.
>>>>
>>>> The certificate and public key authentication are both using the pubkey
>>>> authentication method, but they are using different "key type" (or
>>>> mechanism -- for example ssh-ed25519 or
>>>> ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of
>>>> the authentication packets (you should be able to see this difference
>>>> in
>>>> debug mode of both server and clients).
>>>>
>>>> I think this works as expected from the protocol point of view. If you
>>>> think libssh should also try to find matching certificates and use them
>>>> for the authentication, contributions are welcomed:
>>>>
>>>> https://gitlab.com/libssh/libssh-mirror
>>>>
>>>> Hope it helps,
>>>> --
>>>> Jakub Jelen
>>>> Crypto Team, Security Engineering
>>>> Red Hat, Inc.
>>>>
>>>>
>>>>
Follow-Ups:
Re: Help request for authentication with certicates	Andreas Schneider <asn@xxxxxxxxxxxxxx>
References:
Help request for authentication with certicates	Marco <bna.marco@xxxxxxxxx>
Re: Help request for authentication with certicates	Jakub Jelen <jjelen@xxxxxxxxxx>
Re: Help request for authentication with certicates	Marco <bna.marco@xxxxxxxxx>
Re: Help request for authentication with certicates	Marco <bna.marco@xxxxxxxxx>
Re: Help request for authentication with certicates	Marco <bna.marco@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org