login about faq

We're trying to migrate a user authentication with certificates setup from SSH Tectia Server 4.0.1 (Solaris 9) to 6.0.2 (Solaris 10).

cert-validation:

  <ca-certificate name="testcert" file="/etc/ssh2/test.crt" disable-crls="yes" />

authentication-methods:

    <user name="testuser1" />
    <certificate field="ca-list" pattern="testcert" />

SSH server starts, loads the CA certificate test.crt OK, but authentication doesn't work:

703 Auth_methods_available, Username: testuser1, Auth methods: publickey
708 Publickey_auth_error, Username: testuser1, Algorithm: publickey, "Could not find the received public key in user's public key authorization file or directory"
Why is the server looking for a public key if it should use the CA certificate to validate the client certificate? the client certificate is definitely OK and I'm running out of ideas.

asked Nov 15 '11 at 22:26

ths12's gravatar image

ths12
1111


There isn't enough details to be sure what the issue is. The server still uses the public with in the cert for part of the authentication, so the messages don't indicate that its necessarily NOT doing cert auth.

You must configure a public key authentication with a nested authentication with the appropriate certificate selectors. Please update your ssh-server-config.xml following the example below, restart the server then try again.

<authentication-methods>
<!-- BEGIN Cert authentication -->
  <!-- Cert authentication requires the public key method -->
  <authentication name="pub_auth" action="allow">
    <auth-publickey />

    <!-- Cert authentication also requires a sub method with a selector to validate the cert-->
    <authentication name="cert_auth" action="allow">
      <selector>
          <certificate field="subject-name" pattern="??????" />
       </selector>
    </authentication>

    <authentication name="deny_rest" action="deny" />
  </authentication>
  <!-- END Cert authentication -->

</authentication-methods>

For more information on Cert Authentication please see the link below. http://www.tectia.com/manuals/server-admin/60/userauth-cert.html

link

answered Nov 17 '11 at 18:50

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×10
×3

Asked: Nov 15 '11 at 22:26

Seen: 3,017 times

Last updated: Nov 17 '11 at 18:50

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.