VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   General (https://forums.vandyke.com/forumdisplay.php?f=11)
-   -   Openssl with SecureCRT (https://forums.vandyke.com/showthread.php?t=10644)

rciulla 08-28-2012 12:06 PM

Openssl with SecureCRT
 
Hi,
I'm evaluating SecureCRT to see if it will work with the SSH-2 server we a developing. I apologize if this question has already been answered and or its very basic . I have not been able to find anything using the forms search tool and I am very green with SecureCRT and openssl

Using a version of Openssl I created a root Certificate and private key

openssl req -nodes -config conf/openssl.cnf -days 3650 -x509 -newkey rsa:1024 -out public/root.pem -outform PEM

For the SSH client (secureCRT ) i created a certificate to be signed

openssl req -new -newkey rsa:1024 -nodes -keyout user1/user1_rsa.key -out user1/user1_rsa.pem

I then signed the certificate

openssl ca -config conf/openssl.cnf -out user1/user1_cert.pem -in user1/user1_rsa.pem

I concatenated the resulting cert and the users private key

cat user1_rsa.key user1_cert.pem > user1_id

I copied the user1_id file to the windows 7 machine where i installed SecureCRT.

within the SecureCRT GUI I created a new SSH session that I am trying to use to ssh to our DUT (SSH server that supports x.509 certs)
In the Sessions options dialog box I select SSH--->authentication.

Highlight PublicKey and select properties

Within the public key properties dialog box I selected "use session public key setting and then "use id or cert file"

I point to the certificate file that was concatenated above and select ok (a fingerprint shows up in the MD5 dialog box )

I then add the user and host IP and try to connect. A dialog box appears asking if i want to accept the host key. I select save.

the client fails to log into our DUT (below is the trace output from SecureCRT.

Can you tell from the tace what the error is ?? If i use this same cert on an openssh client (again build with RP patch) the client connects successfully.

 

thank you for any help you can provide.

[LOCAL] : SSH2Core version 7.0.0.326
[LOCAL] : Connecting to x.x.x.x:xx ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_3.5p1'
[LOCAL] : CAP : Remote can re-key
//snip
SecureCRT - Version 7.0.0 (build 326)
//snip
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
Public-key authentication with the server for
user admin failed. Please verify username and
public/private key pair.
Password: [LOCAL] : SENT : USERAUTH_REQUEST [password]

[LOCAL] : RECV : AUTH_SUCCESS
//snip

miked 08-28-2012 01:35 PM

Hello rciulla,

It looks like you're wanting to use a certificate with SecureCRT for authentication. You'd like to do this rather than use an SSH public or private key, at least for testing, right?

The server appears to have rejected the key. It may be useful for you to use debug output on the server side to see why the server rejected the key. It looks like it was rejected at the fingerprint stage, so it didn't find a matching fingerprint in the right location:
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
Could you send the OpenSSH client output to support@vandyke.com, and also send the corresponding SSH server debug messages?

Also, please send the server debug log that shows SecureCRT trying to connect.

This type of information is better not to post to a public forum as it often contains sensitive data.

In the e-mail please put Attn Mike Forum Thread 10644.

rciulla 08-29-2012 12:15 PM

all set...thanks
 
to resolve this issue I had to create a .pfx file using the users privatekey file and the signed certificate from the CA.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

the -certfile is optional.

Openssl will prompt for an export phrase. This will be used when importing the resulting certificate.pfx into the windows box.

I copied the file certificate.pfx to my windows box right mouse button clicked it and selected import(entered pass phrase). I then followed your directions from there and I successfully logged in to my SSH server.


- Click Next, select Place all certificates in the following
store

- Click the Browse button

- Select Personal

- Rejoice and click OK because the import was successful

- Open SecureCRT's Session Options / Connection / SSH2
category

- Select PublicKey and press the Properties button

- Select Use personal store certificate (CAPI)

excellent support and excellent product. Thanks Mike!!!
:)

miked 08-29-2012 01:26 PM

Thanks for posting the solution! :)


All times are GMT -6. The time now is 01:48 PM.