EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSH with x509 "RSA+cert"

Posted: 10/01/2014 12:48:01
by Torgeir Hagland (Basic support level)
Joined: 10/01/2014
Posts: 6

Here is what I'm trying to do.

At the moment I can successfully get into servers using SecureCRT, with SSH2 and CAPI (crypto api) option.

I want to build some automation tools and I am evaluating SecureBlackBox. I got the simple sample to log in to the server when I added a ./ssh_authorized key. But when it comes to using the keys stored in X509Certificate2Collection I am having some difficulty when going up against our patched SSH server http://roumenpetrov.info/openssh/ This is a hard requirement for my eval.

The old IETF draft https://tools.ietf.org/html/draft-ietf-secsh-x509-03 seems to refer to x509v3-sign-rsa as some sort of "historical" signing format?

Maybe the contents of the blob isn't correct? Or maybe I've got the wrong key type set? Looks very close though.

the attached log says something about expecting SSH2_MSG_KEXDH_INIT? Not sure what that is...

[ Download ]
Posted: 10/01/2014 12:48:39
by Torgeir Hagland (Basic support level)
Joined: 10/01/2014
Posts: 6

success case log from securecrt

[ Download ]
Posted: 10/01/2014 12:49:39
by Torgeir Hagland (Basic support level)
Joined: 10/01/2014
Posts: 6

SimpleSSHDemo modification

[ Download ]
Posted: 10/01/2014 13:41:04
by Ken Ivanov (Team)

Hello Torgeir,

Thank you for contacting us.

SecureBlackbox SSH implementation does support the method used in the mentioned OpenSSH patch and should work correctly with tools that employ it. So we would probably need to have a deeper look into your case in order to identify the reason for the problem you are facing.

According to the log you provided, the problem happens on client authentication stage. Either a wrong certificate is provided to the server (please check if you are using exactly the same certificate as you use with SecureCRT), or the SSHBlackbox components fail to use the certificate or its private key.

Let's try to localize the issue. Your current code imports certificates from .NET X509Certificate2 objects. Please try to load the certificate straight from a local file instead - this will help ensure that the private key is loaded correctly. Please check that the TElSSHKey.IsPrivate property is set to true after the certificate was imported.

If switching to file-based certificates doesn't help, please try to play with the CertAuthMode property. Try the camAuto, camStandard, camTectia and camRawPublicKey values one by one; if none works, revert the property to camAuto.

If after trying the above steps you still can't connect, please handle the OnAuthenticationAttempt, OnAuthenticationFailed and OnError events of the SSH component and record a trace of their invocations together with parameter values passed to them. Then post the trace here please.

Posted: 10/01/2014 15:28:52
by Torgeir Hagland (Basic support level)
Joined: 10/01/2014
Posts: 6

"Either a wrong certificate is provided to the server (please check if you are using exactly the same certificate as you use with SecureCRT)"

This was indeed the case.

I turned sshd loglevel to debug3 and was able to see some differences.

attached the code that worked.. This is very exciting! So much potential in your product.

bool x509 = false;

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Certificate2Collection certificates = store.Certificates;

foreach (X509Certificate2 c in certificates)
if (c.Subject!=c.Issuer)
TElX509Certificate sbbcert = new TElX509Certificate();

TElSSHKey Key = new TElSSHKey();


Trace.WriteLine(String.Format("x509 {0} added {1}", c.Subject, c.Thumbprint));
x509 = true;
catch (Exception ex)
Trace.WriteLine(String.Format("{0} {1} exception={2}", c.Subject, c.Thumbprint, ex.Message));

if (x509)
for (int i = SBSSHConstants.Unit.SSH_MA_FIRST; i <= SBSSHConstants.Unit.SSH_MA_LAST; i++)
client.set_MacAlgorithms((short)i, false);
client.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_SHA1, true);

client.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES128_CTR, false);
client.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES192_CTR, false);
client.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES256_CTR, true);

client.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_X509_SIGN_RSA, true);
client.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_X509_SIGN_DSS, false);

client.AuthenticationTypes = client.AuthenticationTypes | SBSSHConstants.Unit.SSH_AUTH_TYPE_PUBLICKEY;

[ Download ]



Topic viewed 645 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!