To enable the exchange of certificates with a client, the administrator needs to make sure that the prerequisites listed below are complete:
• The client must have installed and enabled an OpenSSH client with the X.509 patch (which is available at http://www.roumenpterov.info/openssh).
• For each client connected to a serial port, the serial ports are configured for “socket_ssh” protocol and assigned the IP address of the connected device.The OnSite administrator must obtain the client information from the client’s certificate and host key, and add the user identification to the authorized keys file as described in the following procedure.To Enable Authentication of SSH Sessions Through Exchange of X.509 Certificates
• The client must have installed and enabled an OpenSSH client with the X.509 patch (which is available at http://www.roumenpterov.info/openssh).
• For each client connected to a serial port, the serial ports must be configured for “socket_ssh” protocol and assigned the IP address of the connected device.This procedure assumes that /etc/ssh/authorized_keys is the filename defined in the AuthorizedKeysFile definition in the sshd_config file.Do this procedure for each client with which the OnSite needs to exchange security certificates.
1. On the client, an administrator must extract the client information from the client’s signed certificate and make the information available to the administrator who is configuring the client on the OnSite.The following screen example shows the command used to obtain the client information and the resulting output from a signed certificate that was generated from a local CA at Cyclades.
subject= /C=US/ST=CA/L=Fremont/O=Cyclades Corporation/OU=R&D/ CN=www.cyclades.com
a.
b. Append the edited output to the /etc/ssh/authorized_keys file.The following screen example shows the tail of the /etc/ssh/authorized_keys file after the edited output from Step 1. is appended.
a. Open the /etc/ssh/sshd_config file for editing.
b. Uncomment the lines shown in the following screen example and make the appropriate changes.
AllowedCertPurpose sslclient
CACertificateFile /etc/ssh/ca/ca-bundle.crt
HostKey /etc/ssh/ssh_host_key
ChallengeResponseAuthentication no <--
HostbasedAuthentication no
StrictModes no <--
PasswordAuthentication no <--
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication no
UsePrivilegeSeparation yes
d.
[root@OnSite /root]# daemon.sh restart WEB
a. Open the /etc/ssh/ssh_config file for editing.
b. Uncomment t[he lines shown in the following screen example and make the specified changes.
d.
[root@OnSite /root]# daemon.sh restart WEBNote: All the file and pathnames edited in this procedure are listed in the
/etc/config_files file for restoration after upgrade.