[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gsi-openssh] Q: More than one Common Name found in subject

To: matei <matei@cs.uchicago.edu>
Subject: Re: [gsi-openssh] Q: More than one Common Name found in subject
From: Jim Basney <jbasney@ncsa.uiuc.edu>
Date: Tue, 05 Aug 2003 17:15:58 -0500
Cc: gsi-openssh@globus.org
In-reply-to: <Pine.LNX.4.44.0308051628190.20281-100000@buda.cs.uchicago.edu>
References: <5.1.0.14.2.20030805153956.02e7d8a8@pop.ncsa.uiuc.edu>
Sender: owner-gsi-openssh@globus.org

Your sshd (from our binary release) is linked statically with GT 2.2 libraries and therefore does not know how to interpret your GT3 "Proxy draft compliant impersonation proxy". Rather than trying to build the current gsi-openssh release against GT3 libraries, please wait a day or two for our next release, which will install more easily with GT3 and will link dynamically with the GT libraries. Until then, please use 'grid-proxy-init -old'.

At 04:47 PM 8/5/2003, matei wrote:

> The sshd will load the X.509 credentials after the client connects. You
> don't need to set anything in the sshd_config file.
>
> Have you been running the sshd as root all this time or did you just start
> running it as root now? Are you still seeing the problem when running it
> as root?

Jim,

As you guessed I've tried to run as root only starting form the
previous message. Now, with sshd run as root, when a client tries to
connect I get a different error on the client side (complete debug logs
at the end of this message):

GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
an unknown error occurred
Disconnecting: Protocol error: didn't expect packet type 34

Debugging information:

On the client:

*** Check that the proxy is initialized

vsh-2.05$ grid-proxy-info
subject : /O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei
Ripeanu/CN=64018880
issuer : /O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei Ripeanu
identity : /O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei Ripeanu
type : Proxy draft compliant impersonation proxy
strength : 512 bits
path : /tmp/x509up_u500
timeleft : 11:56:55

*** client debug trace

vsh-2.05$ ssh -vvv -p 54321 planetlab2.cs.arizona.edu
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
debug1: Reading configuration data
/home/uchicago10/opt/GT3//etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to planetlab2.cs.arizona.edu [150.135.65.3] port 54321.
debug1: Connection established.
debug3: Not a RSA1 key file /home/uchicago10/.ssh/identity.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/uchicago10/.ssh/identity type 1
debug1: identity file /home/uchicago10/.ssh/id_rsa type -1
debug1: identity file /home/uchicago10/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat
OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*,OpenSSH_3.6.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug3: Trying to reverse map address 150.135.65.3.
debug1: Mechanism encoded as dZuIebMjgUqaxvbF7hDbAw==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 483/1024
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug1: Received Error
GSSAPI Error:
GSS Major Status: Authentication Failed

GSS Minor Status Error Chain:

an unknown error occurred
Disconnecting: Protocol error: didn't expect packet type 34
debug1: Calling cleanup 0x8061bec(0x0)

***** On the server side: ********************************************

*** Config files:

[root@PlanetLab2 uchicago10]# ls -l /etc/grid-security/
total 28
drwxr-xr-x 2 root root 4096 Jul 9 23:42 certificates
lrwxrwxrwx 1 root root 62 Jul 9 23:42
globus-host-ssl.conf ->
/etc/grid-security/certificates//globus-host-ssl.conf.42864e48
lrwxrwxrwx 1 root root 62 Jul 9 23:42
globus-user-ssl.conf ->
/etc/grid-security/certificates//globus-user-ssl.conf.42864e48
-rw-r--r-- 1 uchicago uchicago 66 Aug 5 18:17 grid-mapfile
-rw-r--r-- 1 uchicago uchicago 66 Aug 5 16:32 grid-mapfile.dacm
lrwxrwxrwx 1 root root 60 Jul 9 23:42 grid-security.conf
-> /etc/grid-security/certificates//grid-security.conf.42864e48
-rw-r--r-- 1 uchicago uchicago 174 Aug 5 18:17 grim-port-type.xml
-rw-r--r-- 1 root root 3552 Jul 10 00:28 hostcert.pem
-rw-r--r-- 1 root root 1300 Jul 10 00:28
hostcert_request.pem
-r-------- 1 root root 891 Jul 10 00:28 hostkey.pem

*** sshd debug trace ***

[root@PlanetLab2 uchicago10]# sshd -p 54321 -ddd
debug2: read_server_config: filename
/home/uchicago10/opt/GT3//etc/ssh/sshd_config
debug1: sshd version OpenSSH_3.6.1p2
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file
/home/uchicago10/opt/GT3//etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file
/home/uchicago10/opt/GT3//etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 54321 on 0.0.0.0.
Server listening on 0.0.0.0 port 54321.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 150.135.65.3 port 34625
debug1: Client protocol version 2.0; client software version
OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat
OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*,OpenSSH_3.6.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2
debug2: Network child is on pid 18270
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug3: mm_request_send entering: type 28
debug3: mm_request_receive_expect entering: type 29
debug3: monitor_read: checking request 28
debug3: mm_request_send entering: type 29
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 20
debug3: mm_request_receive_expect entering: type 21
debug3: monitor_read: checking request 20
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug1: GSSAPI mechanism GSI (gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==)
supported
debug3: mm_request_send entering: type 20
debug3: mm_request_receive_expect entering: type 21
debug3: monitor_read: checking request 20
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug1: GSSAPI mechanism GSI (gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==)
supported
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: kexgss_server: Identifying
gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==
debug1: using GSSAPI mechanism GSI
(gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==)
debug2: kexgss_server: Acquiring credentials
debug3: mm_request_send entering: type 20
debug3: mm_request_receive_expect entering: type 21
debug3: monitor_read: checking request 20
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug3: mm_request_send entering: type 22
debug3: mm_request_receive_expect entering: type 23
debug3: monitor_read: checking request 22
debug1: Got no client credentials
debug3: mm_request_send entering: type 23
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug1: Sending GSSAPI_CONTINUE
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug3: mm_request_send entering: type 22
debug3: mm_request_receive_expect entering: type 23
debug3: monitor_read: checking request 22
debug1: GSS Major Status: Authentication Failed

GSS Minor Status Error Chain:

accept_sec_context.c:158: gss_accept_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:848: globus_i_gsi_gss_handshake: SSLv3 handshake
problems: Couldn't do ssl handshake
OpenSSL Error: s3_srvr.c:1812: in library: SSL routines, function
SSL3_GET_CLIENT_CERTIFICATE: no certificate returned

debug1: Got no client credentials
debug3: mm_request_send entering: type 23
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 34
debug3: mm_request_receive_expect entering: type 35
debug3: monitor_read: checking request 34
debug3: mm_request_send entering: type 35
debug2: monitor_read: 34 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_request_receive entering
Disconnecting: gssapi key exchange handshake failed
debug1: Calling cleanup 0x806dc0c(0x0)

*** or this one ***

[root@PlanetLab2 uchicago10]# sshd -p 54321 -ddd -o 'UsePrivilegeSeparation no'
debug2: read_server_config: filename
/home/uchicago10/opt/GT3//etc/ssh/sshd_config
debug1: sshd version OpenSSH_3.6.1p2
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file
/home/uchicago10/opt/GT3//etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file
/home/uchicago10/opt/GT3//etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 54321 on 0.0.0.0.
Server listening on 0.0.0.0 port 54321.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 150.135.65.3 port 34761
debug1: Client protocol version 2.0; client software version
OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat
OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*,OpenSSH_3.6.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: GSSAPI mechanism GSI (gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==)
supported
debug1: GSSAPI mechanism GSI (gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==)
supported
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: kexgss_server: Identifying
gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==
debug1: using GSSAPI mechanism GSI
(gss-group1-sha1-N3+k7/4wGxHyuP8Yxi4RhA==)
debug2: kexgss_server: Acquiring credentials
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug1: Got no client credentials
debug1: Sending GSSAPI_CONTINUE
debug1: Wait SSH2_MSG_GSSAPI_INIT
debug1: GSS Major Status: Authentication Failed

GSS Minor Status Error Chain:

accept_sec_context.c:158: gss_accept_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:848: globus_i_gsi_gss_handshake: SSLv3 handshake
problems: Couldn't do ssl handshake
OpenSSL Error: s3_srvr.c:1812: in library: SSL routines, function
SSL3_GET_CLIENT_CERTIFICATE: no certificate returned

debug1: Got no client credentials
Disconnecting: gssapi key exchange handshake failed

> If yes, could you please send a complete transcript with full
> debugging for client and server?
>
> At 03:35 PM 8/5/2003, matei wrote:
> >Hm ... this seems to be a problem: sshd does not seem to try to load the
> >hostcert and hostkey. Certificates are in the standard place and I also tried
> >setting the X509* environment variables (see below). Is there something I
> >should modify in the config file to make it read the host certificates?
> >
> >When I start sshd:
> >
> >[root@PlanetLab2 GT3]# sshd -p 54321 -ddd
> >debug2: read_server_config: filename
> >/home/uchicago10/opt/GT3//etc/ssh/sshd_config
> >debug1: sshd version OpenSSH_3.6.1p2
> >debug1: private host key: #0 type 0 RSA1
> >debug3: Not a RSA1 key file
> >/home/uchicago10/opt/GT3//etc/ssh/ssh_host_rsa_key.
> >debug1: read PEM private key done: type RSA
> >debug1: private host key: #1 type 1 RSA
> >debug3: Not a RSA1 key file
> >/home/uchicago10/opt/GT3//etc/ssh/ssh_host_dsa_key.
> >debug1: read PEM private key done: type DSA
> >debug1: private host key: #2 type 2 DSA
> >socket: Address family not supported by protocol
> >debug1: Bind to port 54321 on 0.0.0.0.
> >Server listening on 0.0.0.0 port 54321.
> >Generating 768 bit RSA key.
> >RSA key generation complete.
> >....
> >
> >
> >Certificates are in their standard locations:
> >
> >[root@PlanetLab2 GT3]# ls -l $X509_CERT_DIR $X509_USER_CERT
> >$X509_USER_KEY
> >-rw-r--r-- 1 root root 3552 Jul 10 00:28
> >/etc/grid-security/hostcert.pem
> >-r-------- 1 root root 891 Jul 10 00:28
> >/etc/grid-security/hostkey.pem
> >
> >/etc/grid-security/certificates:
> >total 20
> >-rw-r--r-- 1 root root 806 Jul 9 23:42 42864e48.0
> >-rw-r--r-- 1 root root 1329 Jul 9 23:42
> >42864e48.signing_policy
> >-rw-r--r-- 1 root root 2869 Jul 9 23:42
> >globus-host-ssl.conf.42864e48
> >-rw-r--r-- 1 root root 2983 Jul 9 23:42
> >globus-user-ssl.conf.42864e48
> >-rw-r--r-- 1 root root 1230 Jul 9 23:42
> >grid-security.conf.42864e48
> >
> >
> >On Tue, 5 Aug 2003, Jim Basney wrote:
> >
> > > Are you running the sshd with a proxy credential instead of a host
> > > credential? It needs a host credential.
> > >
> > > At 02:16 PM 8/5/2003, matei wrote:
> > > >Jim,
> > > >
> > > >I've tried the '-old' option and the (insignificant) change in the error
> > > >message is that I get:
> > > >
> > > > globus_gsi_credential.c:1795: globus_l_gsi_cred_subject_cmp:
> > Error
> > > > comparing subject names.: More than one Common Name found in
> > subject
> > > > /O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei Ripeanu/CN=proxy.
> > > >
> > > >instead of:
> > > >
> > > > globus_gsi_credential.c:1795: globus_l_gsi_cred_subject_cmp:
> > Error
> > > > comparing subject names.: More than one Common Name found in
> > subject
> > > > /O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei
> > Ripeanu/CN=786218723.
> > > >
> > > >
> > > >I'm using GT3 and I downloaded binaries from the GSI-OpenSSH download
> > > >page. Could this be the problem, should I install GSI-OpenSSH from
> > > >source?
> > > >
> > > >-matei
> > > >
> > > >On Tue, 5 Aug 2003, Jim Basney wrote:
> > > >
> > > > > Looks like you're using a GSI proxy with the new format, introduced
> > in GT
> > > > > 2.4, with a GSI-OpenSSH server linked with GT 2.2 (or earlier)
> > > > > libraries. Try 'grid-proxy-init -old'.
> > > > >
> > > > > At 01:40 PM 8/5/2003, matei wrote:
> > > > > >Hi,
> > > > > >
> > > > > >I'm trying to use gsissh and the sshd server rejects my proxy
> > > > > >certificates as they contain more than one common name (see error
> > below).
> > > > > >
> > > > > >Is there a way to make the server accept these proxies or to generate
> > > > > >proxies that contain only one common name?
> > > > > >
> > > > > >Thank you,
> > > > > >-matei
> > > > > >
> > > > > >debug2: input_userauth_request: try method gssapi
> > > > > >debug1: Trying to get OID string
> > > > > >debug1: Got string
> > > > > >Mechanism OID received using the old encoding form
> > > > > >debug1: GSS Major Status: General failure
> > > > > >
> > > > > >GSS Minor Status Error Chain:
> > > > > >
> > > > > >acquire_cred.c:123: gss_acquire_cred: Error with GSI credential
> > > > > >globus_i_gsi_gss_utils.c:1296: globus_i_gsi_gss_cred_read: Error
> > with gss
> > > > > >credential handle
> > > > > >globus_gsi_credential.c:273: globus_gsi_cred_read: Error reading proxy
> > > > > >credential
> > > > > >globus_gsi_credential.c:1795: globus_l_gsi_cred_subject_cmp: Error
> > > > > >comparing subject names.: More than one Common Name found in subject
> > > > > >/O=Grid/O=Globus/OU=cs.uchicago.edu/CN=Matei Ripeanu/CN=786218723.
> > > > > >
> > > > > >
> > > > > >Failed gssapi for uchicago10 from 150.135.65.3 port 50315 ssh2
> > > > > >debug1: userauth-request for user uchicago10 service
> > ssh-connection method
> > > > > >publickey
> > > > > >debug1: attempt 3 failures 3
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

References:
- Re: [gsi-openssh] Q: More than one Common Name found in subject
  - From: Jim Basney <jbasney@ncsa.uiuc.edu>
- Re: [gsi-openssh] Q: More than one Common Name found in subject
  - From: matei <matei@cs.uchicago.edu>

Prev by Date: Re: [gsi-openssh] Q: More than one Common Name found in subject
Next by Date: [gsi-openssh] [ANNOUNCE] GSI-OpenSSH 2.6 Released
Previous by thread: Re: [gsi-openssh] Q: More than one Common Name found in subject
Next by thread: [gsi-openssh] [ANNOUNCE] GSI-OpenSSH 2.6 Released
Index(es):
- Date
- Thread