I opened a thread about this some time ago and closed it because the initiative was pushed back by other priorities. But I'm back, now with more specific problems.
We have OpenVMS 7.3-2 and TCPIP Services for OpenVMS, v 5.4 ECO 7. Also we have OpenSSL for OpenVMS 1.3 = OpenSSL 0.9.7.e. Our users are on Windows boxes using Reflections 14.0.2.
I can get SSH2 logins via Reflections when I allow username and password. What I would like to do is get a non-challenge login (OR it would be OK to demand the PIN associated with the certificate being used).
The certificates we are using are in X509 format, which I can export in any of three formats. Problem is, none of them work. My choices for output are DER, Base 64, or PKCS 7. If I export them, OpenSSL can read them using the "OpenSSL X509" options - but SSH2 does not like them.
I know of one case that WILL work but it is a server-to-server key that isn't X509 format. It is a DSA 2048-bit key, but it is a special case and has a waiver that won't apply to my general user base.
So... has anyone managed to get SSH2/X509 certificate logins to work?
I've checked with our security people. If there is another format I can use to convert the certificate, I am allowed to do that. But if it isn't a DoD approved certificate, I can't use it.
Does anyone have any helpful hints? The meager documentation I found in the updated Guide to SSH doesn't really help.
Sr. Systems Janitor
