[Bug 1952421] Re: Issue on sshd finds correct private key for a certificate when using ssh-agent

Wed, 05 Jan 2022 16:21:02 -0800 

Hirsute verification

[INSTALLED PKG VERSION]
kajiya@chloe-HAL:~/Documents/work$ apt-cache policy openssh-server 
openssh-server:
  Installed: 1:8.4p1-5ubuntu1.2
  Candidate: 1:8.4p1-5ubuntu1.2
  Version table:
 *** 1:8.4p1-5ubuntu1.2 500
        500 http://gb.archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 
Packages
        500 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 
Packages
        100 /var/lib/dpkg/status
     1:8.4p1-5ubuntu1.1 500
        500 http://gb.archive.ubuntu.com/ubuntu hirsute-updates/main amd64 
Packages
     1:8.4p1-5ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu hirsute/main amd64 Packages

[PROCEDURE]
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w 
ssh_host_rsa_key.pub``

Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to 
/etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``

Restarted sshd using systemctl and added ``@cert-authority localhost
ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to
~/.ssh/known_hosts

Finally, running
``ssh -vv localhost 2>&1 | grep "Server host certificate"`` gives 

ssh -vv kajiya@localhost 2>&1 | grep "Server host certificate"
debug1: Server host certificate: [email protected] 
SHA256:ufStWAPad1IQ08xMPM1iF4u4JHEaeAuQcD3qoe8yJ9A, serial 0 ID "localhost" CA 
ssh-rsa SHA256:3iVQ6wcBeoRO3S12jO8K34Do8HbVTPxiBp3rNzCngGc valid from 
2022-01-05T17:20:00 to 2023-01-04T17:21:17
debug2: Server host certificate hostname: localhost

which tells us the certificate was seen and used

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1952421

Title:
  Issue on sshd finds correct private key for a certificate when using
  ssh-agent

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to