Hi,
I have a problem that sounded extremely simple but I have not been able to solve it for some time now.

When we log into a Linux server (Its debian in my case) using a client like Putty, we get a warning message that the server's key is not trusted. What I was trying to do was, create a certificate request on the server, pass this request to a microsoft certificate authority that we have in our environment, get it approved and install the certificate in the SSH service on the server. Next, I wanted to get putty to recognize the certificate authority as being trusted. I assumed, that after this when I logged in, Putty would recognize the server and not give a warning.

What I have accomplished till now is generating the request and getting it approved. I tried modifying the sshd_config file to use the certificate and the corresponding private key but the service did not restart and gave an error. The biggest problem though, is I think Putty does not recognize the trusted CA's added via the 'certificates' MMC. Even if I manage to add certificates to the server, Putty would not work. Could someone please help me with the above, specifically, how should I install the certificate on the ssh service and a solution for the client (An alternative to Putty or something)

Oh! and accepting the server's signature is not an option. This is aimed at preventing man in the middle attacks and needs to use PKI!!

Thanks!
-p

Aren't you confusing SSH's Public Key Authentication with Public Key Infrastructure? You know, X509 certificates? If the message you get is like "authenticity of host X can't be established" then you could read something like http://www.securityfocus.com/infocus/1806 as it explains SSH kost keys wrt preventing MitM attacks. I also think that mcrsft wndws configuration and toolage should not be dealt with in the Linux Security forum as clearly the problem isn't related to GNU/Linux or security. OTOH if I misread your post just say so.

Thanks for your reply. I am trying to use X509 certificates in the SSH process for server authentication when a client connects to it. On the link that you mentioned, one of the ways to ascertain the authenticity of the server is to have its host key available somewhere for users to refer to and the other checks the server after logging in, none of which satisfy my requirements. I discovered that the Tectia SSH actually offers this but a) Its not free and it looks as if it supports only Red Hat and Suse. (http://www.ssh.com/support/documenta...ntication.html) Another interesting this that I found was http://my.safaribooksonline.com/0596...g2-appe-SECT-3
Keywords like 'HostCertificateFile' and 'HostKeyFile' are a part of the Tectia ssh_config file only. As far as windows is concerned, I wanted to refer to a CA, can be windows or 3rd party, doesn't matter. Whats important is how do we request and install a certificate for the SSH service.

Unless I'm mistaken only some commercial SSH implementations implement X509. I haven't seen patches for OpenSSH.

Oh! that can explain why I am having so much trouble with something that does not sound extremely complicated. Anyways, if we assume that this is not possible using OpenSSH, does anyone have suggestions for authenticating servers when an SSH connection is initiated that is not distributing hard copies of keys to everyone who has to connect to Linux servers? Thanks!

P.S. In case anyone feels that this might be possible with OpenSSH, I'll be more than grateful for any suggestions :-)

I do recall that you have to make sure that SSH knows to use a particular authentication-strategy, and that it has also been told not to fall-back to simpler ones!

On Linux at least, the command has a "-v" option (read the man-page on this...) that will produce some trace-information as to exactly what it did try when making a new session.

This is the closest thing that I found - http://roumenpetrov.info/openssh/#todo

Its a patch for X509 support with OpenSSH but I do not see a provision for server authentication in it. Interesting though!