Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: problem of openSSH and certificate in UTF8

from [Roumen Petrov] Network Security [Permanent Link]
Subject: Re: problem of openSSH and certificate in UTF8
Date: Thu, 24 Mar 2005 23:34:12 +0200 
Hi,

You can use "old format". i.e. to append OpenSSH "pub file" to user authorized_keys.
Please see ssh-keygen(1).



yjchui wrote:

Hi:



      I am trying to use certificate with openssh for user and server 
authentication according to the guideline of http://roumenpetrov.info/.



       Fist, both the server and client use self-signed certificate generated 
by openssh. In this case, openSSH works fine with the certificate 
authenctication.



       Second, the server and client apply for a certificate (in DER format) 
signed by our company, which contain UTF8 coding (i.e. it contains Chinese). I 
convert the certificate in DER format to the one in PEM format with the command:

openssl x509 –in server.der –inform DER  -out server.pem –outform PEM



      Then, I extract the DN of the server certificate with the command:

IPSEC:~/.ssh# openssl x509 -noout -subject -in server-root.pem

subject= 
/C=TW/O=\xE4\xB8\xAD\xE8\x8F\xAF\xE9\x9B\xBB\xE4\xBF\xA1\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8/CN=yjchu-server



    At this time, I add the above result to the file 
"/usr/local/etc/ssh_known_hosts" on the client side.



    However, when the client connects to the remote ssh server and performs 
server authentication, the following error message appears:

-----------------------------------------------------------------------------------

yjchu@Friday:~/.ssh$ ssh -v 10.144.166.135

OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /usr/local/etc/ssh_config

…..

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

x509key_str2X509NAME: X509_NAME_add_entry_by_NID fail with 
errormsg='error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too 
long' for nid=17/organizationName and 
data='\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xBB\\xE4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8'

key_read: uudecode 
Subject:/C=TW/O=\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xBB\\xE4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8/CN=yjchu-server

failed

No RSA+cert host key is known for 10.144.166.135 and you have requested strict 
checking.

Host key verification failed.

------------------------------------------------------------------------------------------



Does anybody know how to solve the problem? 




Regards

Yann-Ju Chu




--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ERRATA : interactive and login shells: bug or design decision ?, Greg Wooledge
Next by Date:  Re: ERRATA : interactive and login shells: bug or design decision ?, Robert Hajime Lanning
Previous by Thread:  problem of openSSH and certificate in UTF8, yjchui
Next by Thread:  Re: problem of openSSH and certificate in UTF8, yjchui
Indexes:  [Date] [Thread] [Top] [All Lists]