I love Debian. It’s great, aptitude rocks, it’s stable, it’s convenient, and (mostly) fits my workflow. Part of that workflow is ssh’ing to various machines. Some of these machines use X509 authentication, which doesn’t work under Debian’s ssh. Gentoo’s ebuild has support for it, but months of Gentoo has taken my sanity. After attempting to get a non-ancient version of Firefox emerged left me with a console login, I resolved to get rid of Gentoo and get X509 working on Debian. Here’s the process, from starting with a .p12 file and ending with you connecting with a remote machine using X509 authentication.
This was done on Debian Sid (wheezy):
(Optional)I like to use a clean workspace:
austin@debian:~$ mkdr ssh austin@debian:~$ cd ssh
Get the X509 patch from http://roumenpetrov.info/openssh/. The current version as of this writing is http://roumenpetrov.info/openssh/x509-7.2/openssh-6.0p1+x509-7.2.diff.gz
austin@debian:~/ssh$ wget http://roumenpetrov.info/openssh/x509-7.2/openssh-6.0p1+x509-7.2.diff.gz
Next, get OpenSSH’s source from http://www.openssh.com/portable.html, currently http://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz
austin@debian:~/ssh$ wget http://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz
Now extract the source/apply the patch:
austin@debian:~/ssh$ tar -xzvf openssh-6.0p1.tar.gz austin@debian:~/ssh$ cd openssh-6.0p1 austin@debian:~/ssh/openssh-6.0p1$ zcat ../openssh-6.0p1+x509-7.2.diff.gz | patch -p1
Configure/build/install ssh. I put it in /opt/ssh-x509 to keep it separate:
austin@debian:~/ssh/openssh-6.0p1$ sudo mkdir -p /opt/ssh-x509 austin@debian:~/ssh/openssh-6.0p1$ ./configure --prefix=/opt/ssh-x509 austin@debian:~/ssh/openssh-6.0p1$ make -j4 austin@debian:~/ssh/openssh-6.0p1$ sudo make install
Now that you have ssh+x509 support, you could try ssh’ing to a server, but it will fail:
austin@debian:~/ssh/openssh-6.0p1$ ssh x509box ssh_x509store_cb: subject='C=US,ST=Texas,L=College Station,O=My companyOU=Server,CN=x509box.example.com' error 20 at 0 depth lookup:unable to get local issuer certificate ssh_verify_cert: verify error, code=20, msg='unable to get local issuer certificate' key_verify failed for server_host_key
So now, we need to set up the keys/certificates. First, let’s generate our ssh keys:
austin@debian:~/ssh/openssh-6.0p1$ cd austin@debian:~$ ls austin.p12 austin@debian:~$ openssl pkcs12 -in austin.p12 -clcerts -out ~/.ssh/id_crt Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: austin@debian:~$ ls .ssh id_crt known_hosts austin@debian:~$ chmod 600 ~/.ssh/id_crt austin@debian:~$ ssh-keygen -y -f ~/.ssh/id_crt > ~/.ssh/id_crt.pub Enter passphrase: austin@debian:~$ ls .ssh id_crt id_crt.pub known_hosts
And now, set up the CRL/CA cert. You’ll need to get these from your employer/etc.:
austin@debian:~$ ls *pem
cacert.pem cacrl.pem
austin@debian:~$ sudo mkdir -p /opt/ssh-x509/etc/ca/{crl,crt}
austin@debian:~$ sudo mv cacert.pem /opt/ssh-x509/etc/ca/crt/cacert.pem
austin@debian:~$ sudo mv cacrl.pem /opt/ssh-x509/etc/ca/crl/cacrl.pem
austin@debian:~$ openssl crl -lastupdate -noout -crlnumber -in /opt/ssh-x509/etc/ca/crl/cacrl.pem
lastUpdate=Jun 28 02:34:02 2012 GMT
crlNumber=4184
And, configure ssh to use those certs/CRL:
austin@debian:~$ sudo vi /opt/ssh-x509/etc/ssh_config ForwardAgent yes IdentityFile /home/austin/.ssh/id_crt CACertificateFile /opt/ssh-x509/etc/ca/crt/cacert.pem CARevocationFile /opt/ssh-x509/etc/ca/crl/cacrl.pem
Now, ssh:
austin@debian:~$ ssh x509box Enter passphrase for key '/home/austin/.ssh/id_crt': Last login: Tue Jun 19 02:53:25 UTC 2012 from 192.168.1.100 on pts/2 austin@x509box ~ $
All without Gentoo 