login about faq

Why is SSH server looking for a public key if it should use the CA certificate to validate the client certificate?

0

We're trying to migrate a user authentication with certificates setup from SSH Tectia Server 4.0.1 (Solaris 9) to 6.0.2 (Solaris 10).

cert-validation:

  <ca-certificate name="testcert" file="/etc/ssh2/test.crt" disable-crls="yes" />

authentication-methods:

    <user name="testuser1" />
    <certificate field="ca-list" pattern="testcert" />

SSH server starts, loads the CA certificate test.crt OK, but authentication doesn't work: 

703 Auth_methods_available, Username: testuser1, Auth methods: publickey
708 Publickey_auth_error, Username: testuser1, Algorithm: publickey, "Could not find the received public key in user's public key authorization file or directory"
Why is the server looking for a public key if it should use the CA certificate to validate the client certificate? the client certificate is definitely OK and I'm running out of ideas.

asked Nov 15 '11 at 22:26

ths12's gravatar image

ths12
1111
One Answer:
oldestnewestmost voted
0

There isn't enough details to be sure what the issue is. The server still uses the public with in the cert for part of the authentication, so the messages don't indicate that its necessarily NOT doing cert auth.

You must configure a public key authentication with a nested authentication with the appropriate certificate selectors. Please update your ssh-server-config.xml following the example below, restart the server then try again.

<authentication-methods>
<!-- BEGIN Cert authentication -->
  <!-- Cert authentication requires the public key method -->
  <authentication name="pub_auth" action="allow">
    <auth-publickey />

    <!-- Cert authentication also requires a sub method with a selector to validate the cert-->
    <authentication name="cert_auth" action="allow">
      <selector>
          <certificate field="subject-name" pattern="??????" />
       </selector>
    </authentication>

    <authentication name="deny_rest" action="deny" />
  </authentication>
  <!-- END Cert authentication -->

</authentication-methods>

For more information on Cert Authentication please see the link below. http://www.tectia.com/manuals/server-admin/60/userauth-cert.html

link

answered Nov 17 '11 at 18:50

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×11
×3

Asked: Nov 15 '11 at 22:26

Seen: 4,446 times

Last updated: Nov 17 '11 at 18:50

Related questions

How to set up user authentication with certificates on Windows?

General Guidelines for use of DoD Certificates with SSH Tectia

How to enroll host certificate to be used in server certificate authentication

How do we create a map file to allow login to SSH Tectia Server using certificate authentication?

Server 6.2 (HP-UX 11.31) will not start after upgrade from 6.1

User authention with certificates fail

User authentication with certificate error: Key_store_sign_failed

z/OS Server - client SAF certificate logon

How do you override the broker config keystore with sshg3 parameters?

What's new in Tectia Client/Server/ConnectSecure 6.4.15?

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.