Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > SecureCRT on the Mac

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 05-08-2020, 03:22 PM
decode.chr13 decode.chr13 is offline
Registered User
 
Join Date: Apr 2020
Posts: 6
SecureCRT 8.5.4/8.7.1 Mac and Windows

Hello,

We are using Gravitational Teleport as an access proxy.
It uses Open SSH signed certificate keys to login.

I'm having a problem connecting from SecureCRT using this type of publickey.

The trace logs shows:
[LOCAL] : Available Remote Kex Methods = curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
[LOCAL] : Selected Kex Method = curve25519-sha256@libssh.org
[LOCAL] : Available Remote Host Key Algos = ssh-rsa-cert-v01@openssh.com
[LOCAL] : Selected Host Key Algo =
[LOCAL] : Available Remote Send Ciphers = aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-sha2-256-etm@openssh.com,hmac-sha2-256
[LOCAL] : Selected Send Mac = hmac-sha2-256
[LOCAL] : Available Remote Recv Macs = hmac-sha2-256-etm@openssh.com,hmac-sha2-256
[LOCAL] : Selected Recv Mac = hmac-sha2-256
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : Key exchange failed. No compatible hostkey. The server supports these methods: ssh-rsa-cert-v01@openssh.com

Key exchange failed.
No compatible hostkey. The server supports these methods: ssh-rsa-cert-v01@openssh.com

The important error is that SecureCRT didn't pickup any Host Key Algorithm.
[LOCAL] : Available Remote Host Key Algos = ssh-rsa-cert-v01@openssh.com
[LOCAL] : Selected Host Key Algo =

As I read in features we should be able to use OpenSSH certificates.

Can you please shed some light about using SecureCRT with this type of publickey?

Thank you
Reply With Quote
  #2  
Old 05-08-2020, 04:15 PM
cboyack cboyack is offline
VanDyke Technical Support
 
Join Date: Apr 2020
Posts: 9
Quote:
Originally Posted by decode.chr13 View Post
We are using Gravitational Teleport as an access proxy.
It uses Open SSH signed certificate keys to login.

I'm having a problem connecting from SecureCRT using this type of publickey...

As I read in features we should be able to use OpenSSH certificates.

Can you please shed some light about using SecureCRT with this type of publickey?
While SecureCRT does support authentication from client to server using an OpenSSH trusted certificate for user authentication, SecureCRT does not currently support connecting to an SSH2 server that uses an OpenSSH trusted certificate as its host key.

I've added a feature request on your behalf so that the product director may be able to evaluate it for potential inclusion in some future release. I don't yet have any ETA for when or even if this might ever become available, but if it does we can post it to this forum thread.
__________________
Thanks,
--Cameron

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 05-12-2020, 12:02 AM
decode.chr13 decode.chr13 is offline
Registered User
 
Join Date: Apr 2020
Posts: 6
OpenSSH certificate format

Hello,

Thanks for response.
Just a small mention about this certificate.
The host is using an OpenSSH format certificate, not an x509 v3 certificate.
The certificate is signed using ssh-keygen with an OpenSSH CA private key.

You could implement this first as it is not necessarily a big difference between a normal sshd key and a signed sshd key.

New feature idea:
Then you can add another feature request if you’ll think is good for your products to accept x509 v3 certificates as host certificates, so you can login like in a Cisco equipment. I belive OpenSSH doesn’t support this, but for your ssh server would be a very good idea.

The flow is like this:
1) sshd uses a CA signed cert and has the whole chain (in Cisco this is accomplished manual or with SCEP).
2) client has a same CA signed cert
3) when client connects and presents the cert, server checks if is the same CA, then asks CRL/Ocsp if is valid, then authenticates the user.

This is useful in regulated deployments.

Thanks
Reply With Quote
  #4  
Old 05-12-2020, 11:35 AM
cboyack cboyack is offline
VanDyke Technical Support
 
Join Date: Apr 2020
Posts: 9
Hi,

Thanks for the additional information regarding the OpenSSH signed certificate. I've passed it on to our DEV/QA team in the previous feature request I captured for you.

Quote:
Originally Posted by decode.chr13 View Post
New feature idea:
Then you can add another feature request if you’ll think is good for your products to accept x509 v3 certificates as host certificates, so you can login like in a Cisco equipment. I belive OpenSSH doesn’t support this, but for your ssh server would be a very good idea.
Since SecureCRT version 5.1 on Windows, support for accepting x509v3-sign-rsa and x509v3-sign-dss host keys has been in place. We do not yet have support for x.509 host keys on the Linux/macOS platforms.

Could you please clarify as to which specific host key algorithms you'd like us to support? If there's a specific algorithm that you have in mind, can you please include a link to the specification for implementation of that algorithm?
__________________
Thanks,
--Cameron

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 07:39 PM.