Hi all Got it: put into /usr/local/etc/ssh_config: Host * HostKeyAlgorithms ssh-dss-cert-v01@xxxxxxxxxxx,ssh-dss The documentation about that is a bit lousy. Regards Konrad On 09/03/2010 04:58 PM, Konrad Bucheli wrote: > Hi there > > I currently trying certificate based authentication with ssh and was > successful with user authentication, but failed to configure host > authentication. > > I have the newest and shiniest version: > > kb@kb-pc:~$ ssh -v > OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009 > > Created a CA key: > > ssh-keygen -t dsa -f ca_root > > Signed the host key: > > ssh-keygen -s ca_root -I kb-pc -h /usr/local/etc/ssh_host_dsa_key.pub > > Added the certificate after the host key to /usr/local/etc/sshd_config: > > HostKey /usr/local/etc/ssh_host_dsa_key > HostCertificate /usr/local/etc/ssh_host_dsa_key-cert.pub > > Added the CA public key to ~/.ssh/known_hosts: > > @cert-authority * ssh-dss AAAAB3NzaC1kc3MAA... > > and tried to log in: > > kb@kb-pc:~$ ssh -v root@localhost > OpenSSH_5.6p1, OpenSSL 0.9.8k 25 Mar 2009 > debug1: Reading configuration data /home/kb/.ssh/config > debug1: Reading configuration data /usr/local/etc/ssh_config > debug1: Applying options for * > debug1: Connecting to localhost [::1] port 22. > debug1: Connection established. > debug1: identity file /home/kb/.ssh/id_rsa type -1 > debug1: identity file /home/kb/.ssh/id_rsa-cert type -1 > debug1: identity file /home/kb/.ssh/id_dsa type 2 > debug1: ssh_dss_verify: signature correct > debug1: identity file /home/kb/.ssh/id_dsa-cert type 4 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6 > debug1: match: OpenSSH_5.6 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.6 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > The authenticity of host 'localhost (::1)' can't be established. > DSA key fingerprint is 96:2e:ae:c2:4a:b8:24:0d:ee:1d:18:73:29:ad:72:e8. > Are you sure you want to continue connecting (yes/no)? > > Which was not the result I expected. do I miss something? > > strace /usr/local/sbin/sshd > > indicates that the cerificate is read: > > munmap(0xb774a000, 4096) = 0 > open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0 > read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 1454) = 1454 > close(3) = 0 > open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb774a000 > read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 4096) = 1454 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0xb774a000, 4096) = 0 > open("/usr/local/etc/ssh_host_dsa_key-cert.pub", O_RDONLY|O_LARGEFILE) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=1454, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb774a000 > read(3, "ssh-dss-cert-v01@xxxxxxxxxxx AAA"..., 4096) = 1454 > close(3) = 0 > > > Any idea? > > Thanks and regards > > Konrad Bucheli > -- konrad bucheli security engineer open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 44 455 74 00 f: +41 44 455 74 01 kb@xxxxxxx http://www.open.ch