Miscellaneous Procedures > Administering Security Certificates for HTTPS and SSH on the OnSite > Enabling SSH to Use X.509 Certificates > Prerequisites for Enabling and Using X.509 Certificates for SSH Authentication

Prerequisites for Enabling and Using X.509 Certificates for SSH Authentication
To enable the exchange of certificates with a client, the administrator needs to make sure that the prerequisites listed below are complete:
The client must have installed and enabled an OpenSSH client with the X.509 patch (which is available at http://www.roumenpterov.info/openssh).
For each client connected to a serial port, the serial ports are configured for “socket_ssh” protocol and assigned the IP address of the connected device.
The OnSite administrator must obtain the client information from the client’s certificate and host key, and add the user identification to the authorized keys file as described in the following procedure.
To Enable Authentication of SSH Sessions Through Exchange of X.509 Certificates
This procedure requires the following prerequisites to be done:
The client must have installed and enabled an OpenSSH client with the X.509 patch (which is available at http://www.roumenpterov.info/openssh).
For each client connected to a serial port, the serial ports must be configured for “socket_ssh” protocol and assigned the IP address of the connected device.
This procedure assumes that /etc/ssh/authorized_keys is the filename defined in the AuthorizedKeysFile definition in the sshd_config file.
Do this procedure for each client with which the OnSite needs to exchange security certificates.
1.
On the client, an administrator must extract the client information from the client’s signed certificate and make the information available to the administrator who is configuring the client on the OnSite.
The following screen example shows the command used to obtain the client information and the resulting output from a signed certificate that was generated from a local CA at Cyclades.
# openssl x509 -noout -subject -in \
/etc/ssh/ca/ca-bundle.crt
2.
a.
Replace the string “subject=” with “x509v3-sign-rsa disTinguishednamE:”.
b.
Append the edited output to the /etc/ssh/authorized_keys file.
The following screen example shows the tail of the /etc/ssh/authorized_keys file after the edited output from Step 1. is appended.
x509v3-sign-rsa disTinguishednamE: /C=US/ST=CA/L=Fremont/ O=Cyclades Corporation/OU=R&D/CN=www.cyclades.com
3.
a.
Open the /etc/ssh/sshd_config file for editing.
b.
AllowedCertPurpose sslclient
CACertificateFile /etc/ssh/ca/ca-bundle.crt
HostKey /etc/ssh/ssh_host_key
ChallengeResponseAuthentication no <--
HostbasedAuthentication no
StrictModes no <--
PasswordAuthentication no <--
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication no
UsePrivilegeSeparation yes
c.
d.
[root@OnSite /root]# daemon.sh restart WEB
4.
a.
Open the /etc/ssh/ssh_config file for editing.
b.
AllowedCertPurpose sslserver
Host *
Protocol 2 <--
CACertificate File /etc/ssh/ca/ca-bundle.crt
c.
d.
[root@OnSite /root]# daemon.sh restart WEB
Note: All the file and pathnames edited in this procedure are listed in the
/etc/config_files file for restoration after upgrade.

Miscellaneous Procedures > Administering Security Certificates for HTTPS and SSH on the OnSite > Enabling SSH to Use X.509 Certificates > Prerequisites for Enabling and Using X.509 Certificates for SSH Authentication