- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- SSH2 login and X509 certificates
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2008 09:56 AM
тАО07-14-2008 09:56 AM
SSH2 login and X509 certificates
We have OpenVMS 7.3-2 and TCPIP Services for OpenVMS, v 5.4 ECO 7. Also we have OpenSSL for OpenVMS 1.3 = OpenSSL 0.9.7.e. Our users are on Windows boxes using Reflections 14.0.2.
I can get SSH2 logins via Reflections when I allow username and password. What I would like to do is get a non-challenge login (OR it would be OK to demand the PIN associated with the certificate being used).
The certificates we are using are in X509 format, which I can export in any of three formats. Problem is, none of them work. My choices for output are DER, Base 64, or PKCS 7. If I export them, OpenSSL can read them using the "OpenSSL X509" options - but SSH2 does not like them.
I know of one case that WILL work but it is a server-to-server key that isn't X509 format. It is a DSA 2048-bit key, but it is a special case and has a waiver that won't apply to my general user base.
So... has anyone managed to get SSH2/X509 certificate logins to work?
I've checked with our security people. If there is another format I can use to convert the certificate, I am allowed to do that. But if it isn't a DoD approved certificate, I can't use it.
Does anyone have any helpful hints? The meager documentation I found in the updated Guide to SSH doesn't really help.
- Tags:
- certificate
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2008 03:34 PM
тАО07-14-2008 03:34 PM
Re: SSH2 login and X509 certificates
stuff, but a Google search for
ssh x509
found things like:
http://www1.tools.ietf.org/html/draft-saarenmaa-ssh-x509-00
which suggests that it was in "draft" status
in 2007, so I would be a little amazed if it
was available in TCPIP already.
Normal public-key SSH isn't good enough?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2008 05:11 PM
тАО07-14-2008 05:11 PM
Re: SSH2 login and X509 certificates
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2008 06:02 PM
тАО07-14-2008 06:02 PM
Re: SSH2 login and X509 certificates
Contact HP and ask for X.509 support, or ask for the source code and apply the patch. Or work with one of the Process IP stacks. Or your own ssh port.
http://www.openssh.com/
http://www.roumenpetrov.info/openssh/
Or get an exception.
Stephen Hoffman
HoffmanLabs LLC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2008 06:21 AM
тАО07-15-2008 06:21 AM
Re: SSH2 login and X509 certificates
Unfortunately, "ordinary" PKI isn't the problem. It's the SOURCE of the key that is the issue. And no, I cannot get a waiver for that one. U.S. Dept. of Defense absolutely does a screaming howler-monkey dance on your desk if you violate that rule. I'd say you get handed your head, but that ain't true. They keep it and send the rest of you home.
When I download keys exported using IE, that doesn't work. My copy of OpenSSL can read the keys correctly and can identify the issuer, demographic data, and organizational data. But SSH doesn't use OpenSSL directly, and THAT is part of the problem. It is so frustrating to be that close and yet not be where I need to be.
I won't close this thread right away, just in case I figure out how to make it work. I've seen other posters talk about their VMS and Reflections issues, so if I develop any answer I'll share it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2008 04:42 AM
тАО10-17-2008 04:42 AM
Re: SSH2 login and X509 certificates
The problem (as noted in another thread) is strictly the extraction of the RSA-1024 key that is embedded in the X509v3 certificate. Since I am not doing anything web-oriented, the certificate really isn't the issue. It is simply the extraction of that key so that the initial SSH "handshake" (DH Key Exchange Dialog) can occur using PKI rules.
I've worked with the Attachmate folks who supply our workstation terminal emulators. The point where it all locks up is that attempt to somehow get the public key out of the public certificate.
So close yet so far.
Since I have another thread open on this one, I'm going to close it and defer further references to that thread.
Thanks for all your help, gang!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2008 04:43 AM
тАО10-17-2008 04:43 AM
Re: SSH2 login and X509 certificates
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2008 08:34 PM
тАО10-17-2008 08:34 PM
Re: SSH2 login and X509 certificates
That would be:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1278615