OpenSSH and X.509 Certificate Support

sankalp_karpe sankalp_karpe at persistent.co.in
Wed Mar 12 22:51:26 EST 2008


Hi Roumen,

I tried your suggestions and could successfully connect to the OpenSSH 
Server with X.509 patch from a non-patched SSH Client using 
username/password.

The main requirement that I have is for the Client to be authenticated 
via a Client certificate using SSH and Apache.

I have been able to successfully achieve the same using Apache + mod_ssl 
for web server access to my system.
In order to enable the same authentication mechanism for command-line 
access to my system that uses OpenSSH, I patched OpenSSH with the X.509 
patch you developed between two Linux FC6 machines.

Ideally I would like it to be something like:

1. The client sends the user certificate (which includes the user's 
public key) to the server. The packet also contains data unique to the 
session and it is signed by the user's private key.
2. The server uses the CA certificate to check that the user's 
certificate is valid.
3. The server verifies that the user has a valid private key by checking 
the signature in the initial packet.
4. The server matches the user certificate against the rules in the 
server configuration file to decide whether login is allowed or not.

When looking for information on X.509 Certificate support for SSH, I had 
come across a commercial version of SSH (SSH Tectia Client/Server) which 
claims to support the above authentication sequence. Also, it supports 
selective field based authentication of the Client Certificates, for 
example:

<authentication-methods>
<authentication action="allow" repeat-block="yes">
<auth-publickey />
<authentication action="allow">
<selector>
<certificate field="ca-list" pattern="exa-ca1,exa-ca2" />
<certificate field="issuer-name" pattern="C=FI, O=SSH, CN=*" />
<certificate field="subject-name" pattern="C=FI, O=SSH, CN=%username%" />
<certificate field="serial-number" pattern="123456" />
<certificate field="altname-email" pattern="%username%@ssh.com" />
<certificate field="altname-upn" pattern="%username-without-domain%@ssh" />
</selector>
</authentication>
<authentication action="deny" />
</authentication>
</authentication-methods>

However, I need to see how I can extend the OpenSSH of my system to 
support X.509 Certificates and cannot use any commercial version of SSH.

Implementing X.509 Certificate support for OpenSSH (using the X.509 
patch you developed) requires that the client certificate be appended to 
the Client key in id_rsa and public part of the client key+certificate 
(i.e. id_rsa.pub) to be appended to the authorized_keys file on the 
server, and each time a new client (OpenSSH patched with X.509) is added 
to the network, its corresponding id_rsa.pub has to be appended to the 
server's authorized_keys.

So, I have the following concerns and would request your comments on the 
same:

(1) Isn't this an overhead as compared to what we would do in Web Server 
Authentication (Apache) where-in we provide the client with just a 
certificate, and not having to create a custom file containing the 
Client key+certificate (id_rsa) like we do for OpenSSH patched with X.509.

(2) If we need to have the "client key + client certificate" in id_rsa, 
then, is there any workaround to eliminate the need to append the ".pub" 
part of it to the "authorized_keys" file on the Server.

(3) Also how can we authenticate clients selectively using the fields of 
the client certificate in case of OpenSSH (with X.509 support).

Your help would be highly appreciated.
Thanking you in anticipation.

Thanks and Best Regards,
Sankalp



Roumen Petrov wrote:

>sankalp_karpe wrote:
>  
>
>>Hi Roumen,
>>
>>Thanks for your comments.
>>The issues reported by me were not X.509 specific. Sorry about that.
>>
>>So now I have SSH Server & Client, both patched with X.509 and I can 
>>successfully connect to the Server using X.509 Certificates.
>>
>>I have several Linux clients some of which are patched with x.509 patch.
>>
>>Is it possible for those linux machines (not patched with x.509) to 
>>log-in to the server with username/password since they do not support 
>>x.509 certificates (by doing some configuration changes on the Server)?
>>I have tried to log-in from a ssh client (without X.509 patch) to a 
>>ssh server (with X.509 patch), but the server refuses connection with 
>>the following error on the console:
>>
>>"no hostkey alg"
>>
>>My goal, is to make the OpenSSH Server (with X.509 patch) compatible 
>>with all SSH Clients irrespective of whether the client is patched 
>>with X.509 or not.
>>Would there be any workaround?
>>
>>Your help would be highly appreciated.
>>Thanking you in anticipation.
>>
>>Thanks and Best Regards,
>>Sankalp
>>
>>Roumen Petrov wrote:
>>
>>    
>>
>>>sankalp_karpe wrote:
>>>[SNIP]
>>>      
>>>
>
>You could list in sshd_config all supported key types:
>$ grep ^HostKey /etc/ssh/sshd_config
>HostKey /etc/ssh/ssh_host_rsa_key
>HostKey /etc/ssh/SAVE/ssh_host_rsa_key
>HostKey /etc/ssh/ssh_host_dsa_key
>
>
>Also you could check key-types supported by server:
>$ ssh-keyscan  localhost
># localhost SSH-2.0-OpenSSH_4.7
>localhost x509v3-sign-rsa Subject:C=XX,...
># localhost SSH-2.0-OpenSSH_4.7
>localhost x509v3-sign-dss Subject:C=XX,...
># localhost SSH-2.0-OpenSSH_4.7
>localhost ssh-rsa AAAAB3Nza....
># localhost SSH-2.0-OpenSSH_4.7
>no hostkey alg
>
>
>Command ssh-keyscan (see man page) scan for  protocol version 2 keys by 
>default.
>
>Roumen
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>  
>



More information about the openssh-unix-dev mailing list