Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 08-28-2012, 01:06 PM
rciulla rciulla is offline
Registered User
 
Join Date: Aug 2012
Posts: 2
Openssl with SecureCRT

Hi,
I'm evaluating SecureCRT to see if it will work with the SSH-2 server we a developing. I apologize if this question has already been answered and or its very basic . I have not been able to find anything using the forms search tool and I am very green with SecureCRT and openssl

Using a version of Openssl I created a root Certificate and private key

openssl req -nodes -config conf/openssl.cnf -days 3650 -x509 -newkey rsa:1024 -out public/root.pem -outform PEM

For the SSH client (secureCRT ) i created a certificate to be signed

openssl req -new -newkey rsa:1024 -nodes -keyout user1/user1_rsa.key -out user1/user1_rsa.pem

I then signed the certificate

openssl ca -config conf/openssl.cnf -out user1/user1_cert.pem -in user1/user1_rsa.pem

I concatenated the resulting cert and the users private key

cat user1_rsa.key user1_cert.pem > user1_id

I copied the user1_id file to the windows 7 machine where i installed SecureCRT.

within the SecureCRT GUI I created a new SSH session that I am trying to use to ssh to our DUT (SSH server that supports x.509 certs)
In the Sessions options dialog box I select SSH--->authentication.

Highlight PublicKey and select properties

Within the public key properties dialog box I selected "use session public key setting and then "use id or cert file"

I point to the certificate file that was concatenated above and select ok (a fingerprint shows up in the MD5 dialog box )

I then add the user and host IP and try to connect. A dialog box appears asking if i want to accept the host key. I select save.

the client fails to log into our DUT (below is the trace output from SecureCRT.

Can you tell from the tace what the error is ?? If i use this same cert on an openssh client (again build with RP patch) the client connects successfully.

 

thank you for any help you can provide.

[LOCAL] : SSH2Core version 7.0.0.326
[LOCAL] : Connecting to x.x.x.x:xx ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_3.5p1'
[LOCAL] : CAP : Remote can re-key
//snip
SecureCRT - Version 7.0.0 (build 326)
//snip
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
Public-key authentication with the server for
user admin failed. Please verify username and
public/private key pair.
Password: [LOCAL] : SENT : USERAUTH_REQUEST [password]

[LOCAL] : RECV : AUTH_SUCCESS
//snip

Last edited by miked; 08-28-2012 at 03:02 PM. Reason: Redacting potentially sensitive information
Reply With Quote
  #2  
Old 08-28-2012, 02:35 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hello rciulla,

It looks like you're wanting to use a certificate with SecureCRT for authentication. You'd like to do this rather than use an SSH public or private key, at least for testing, right?

The server appears to have rejected the key. It may be useful for you to use debug output on the server side to see why the server rejected the key. It looks like it was rejected at the fingerprint stage, so it didn't find a matching fingerprint in the right location:
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint: 8e:73:2a:48:d9:3f:dc:01:43:30:5f:19:b0:32:09:b3]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]
Could you send the OpenSSH client output to support@vandyke.com, and also send the corresponding SSH server debug messages?

Also, please send the server debug log that shows SecureCRT trying to connect.

This type of information is better not to post to a public forum as it often contains sensitive data.

In the e-mail please put Attn Mike Forum Thread 10644.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]

Last edited by miked; 08-28-2012 at 03:04 PM.
Reply With Quote
  #3  
Old 08-29-2012, 01:15 PM
rciulla rciulla is offline
Registered User
 
Join Date: Aug 2012
Posts: 2
Smile all set...thanks

to resolve this issue I had to create a .pfx file using the users privatekey file and the signed certificate from the CA.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

the -certfile is optional.

Openssl will prompt for an export phrase. This will be used when importing the resulting certificate.pfx into the windows box.

I copied the file certificate.pfx to my windows box right mouse button clicked it and selected import(entered pass phrase). I then followed your directions from there and I successfully logged in to my SSH server.


- Click Next, select Place all certificates in the following
store

- Click the Browse button

- Select Personal

- Rejoice and click OK because the import was successful

- Open SecureCRT's Session Options / Connection / SSH2
category

- Select PublicKey and press the Properties button

- Select Use personal store certificate (CAPI)

excellent support and excellent product. Thanks Mike!!!
Reply With Quote
  #4  
Old 08-29-2012, 02:26 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Thanks for posting the solution!
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
Reply

Tags
openssl


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:04 AM.