Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I have a problem that sounded extremely simple but I have not been able to solve it for some time now.
When we log into a Linux server (Its debian in my case) using a client like Putty, we get a warning message that the server's key is not trusted. What I was trying to do was, create a certificate request on the server, pass this request to a microsoft certificate authority that we have in our environment, get it approved and install the certificate in the SSH service on the server. Next, I wanted to get putty to recognize the certificate authority as being trusted. I assumed, that after this when I logged in, Putty would recognize the server and not give a warning.
What I have accomplished till now is generating the request and getting it approved. I tried modifying the sshd_config file to use the certificate and the corresponding private key but the service did not restart and gave an error. The biggest problem though, is I think Putty does not recognize the trusted CA's added via the 'certificates' MMC. Even if I manage to add certificates to the server, Putty would not work. Could someone please help me with the above, specifically, how should I install the certificate on the ssh service and a solution for the client (An alternative to Putty or something)
Oh! and accepting the server's signature is not an option. This is aimed at preventing man in the middle attacks and needs to use PKI!!
Thanks!
-p
Last edited by prafulnama; 03-18-2009 at 01:11 PM.
Aren't you confusing SSH's Public Key Authentication with Public Key Infrastructure? You know, X509 certificates? If the message you get is like "authenticity of host X can't be established" then you could read something like http://www.securityfocus.com/infocus/1806 as it explains SSH kost keys wrt preventing MitM attacks. I also think that mcrsft wndws configuration and toolage should not be dealt with in the Linux Security forum as clearly the problem isn't related to GNU/Linux or security. OTOH if I misread your post just say so.
Thanks for your reply. I am trying to use X509 certificates in the SSH process for server authentication when a client connects to it. On the link that you mentioned, one of the ways to ascertain the authenticity of the server is to have its host key available somewhere for users to refer to and the other checks the server after logging in, none of which satisfy my requirements. I discovered that the Tectia SSH actually offers this but a) Its not free and it looks as if it supports only Red Hat and Suse. (http://www.ssh.com/support/documenta...ntication.html) Another interesting this that I found was http://my.safaribooksonline.com/0596...g2-appe-SECT-3
Keywords like 'HostCertificateFile' and 'HostKeyFile' are a part of the Tectia ssh_config file only. As far as windows is concerned, I wanted to refer to a CA, can be windows or 3rd party, doesn't matter. Whats important is how do we request and install a certificate for the SSH service.
Oh! that can explain why I am having so much trouble with something that does not sound extremely complicated. Anyways, if we assume that this is not possible using OpenSSH, does anyone have suggestions for authenticating servers when an SSH connection is initiated that is not distributing hard copies of keys to everyone who has to connect to Linux servers? Thanks!
P.S. In case anyone feels that this might be possible with OpenSSH, I'll be more than grateful for any suggestions :-)
Last edited by prafulnama; 03-18-2009 at 09:19 PM.
I do recall that you have to make sure that SSH knows to use a particular authentication-strategy, and that it has also been told not to fall-back to simpler ones!
On Linux at least, the command has a "-v" option (read the man-page on this...) that will produce some trace-information as to exactly what it did try when making a new session.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.