X509 based certificate authentication in OpenSSH

Iain Morgan imorgan at nas.nasa.gov
Thu Jun 10 03:36:25 EST 2010


Hi Naitik,

One thing I neglected to point out in my earlier off-list response to
you is that your use of the -n option may create a complication.
Specifically, using '-n USER' will restrict the certificate to only
being able to authenticate to a USEr account.

When sshd encounters a certificate that has a non-empty list of
principals (as specified by the -n option to ssh-keygen), it will
compare the username of the account being logged into against this list.
If the name of the remote account is not in the list of principals, the
certificate will be rejected.

Other than that caveat, what you have described looks correct.

You don't need to do anything with the -cert.pub file that was created.
Simply keep it in the same directory as the associated private key. In
particular, there is no need to copy it to remote hosts. You would only
need to copy the public key, user_key.pub, to servers that do not
support the certificate format, i.e. any older than OpenSSH 5.4 or any
server using something other than OpenSSH. And you should _never_ copy
the private key to a remote host.

Simply keep the private key, public key and certificate (user_key,
user_key.pub, and user_key-cert.pub respectively) in Your ~/.ssh
directory on the client system. Note that since you chose to use a
non-default name for the key (and thus the cert) you will need to
explicitly tell ssh to load the key/cert either with the -i command-line
option or the IdentityFile option in ~/.ssh/config.

On Wed, Jun 09, 2010 at 10:14:41 -0500, Dani, Naitik wrote:
> I did the following steps to create a certficate, but it does not work:
> 
> 
>   1) Client: ssh-keygen -f ca_key
>   2) Client: ssh-keygen -f user_key
>   3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub
>   4) Server: cp ca_key.pub ~/.ssh/authorized_keys
>   5) I tagged the entry in authorized_keys as follows with
> cert-authority, is this correct:
> cert-authority ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQDscbUTgHMo+bryVqKHbItgd1THR4fVvjRdrDd3ZoEo
> oPA8iz/AR9umzn19rAeuRIKRYUnRsslaAVnAji6Hl1To51xoKQuV63cykCM+smxqsEIO8ThG
> eF/oH/HfAnpdDfZ7Lkh2n6n4ixwEygjQ0M9gnAZkyKBoq08rGp3vCZUFRCOTH3Xpdsy8kIqF
> xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ USER at server1  
>   5) Client: ssh USER at server --> it failed
> 
> What should I do with user_key-cert.pub file which gets created in step
> 3? Where should I copy this file?
> Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as
> id_rsa/id_rsa.pub on the server side?
> 
> Thanks in advance.
> 
> Naitik Dani
> MTS
> GX Infrastructure HQ
> 
> NetApp
> 724-741-5153 Direct
> Naitik.Dani at netapp.com
> www.netapp.com
> 
> 
> 
>  
> 
> > -----Original Message-----
> > From: Iain Morgan [mailto:imorgan at nas.nasa.gov] 
> > Sent: Monday, June 07, 2010 19:23
> > To: Dani, Naitik
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: X509 based certificate authentication in OpenSSH
> > 
> > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > > Hello,
> > > 
> > > I would like to know whether OpenSSH supports x509 certificate based
> > > authentication.
> > 
> > No, although Roumen Petrov maintains a patch that adds such support.
> > 
> > > It looks like OpenSSH has dependency on OpenSSL so does 
> > this mean that
> > > OpeSSH also supports x509 certificate based authentication.
> > 
> > No, OpenSSH just uses the low-level cryptographic algorithms from
> > OpenSSL.
> > 
> > > 
> > > If it does support, can you please point me to the necessary
> > > documentation. 
> > > 
> > 
> > The developers have maintained a stance that the complexity of X.509
> > certificates introduces an unacceptable attack surface for sshd.
> > Instead, they have recently implemented an alternative certificate
> > format which is much simpler to parse and thus introduces 
> > less risk. See
> > the various man pages in OpenSSH 5.5 for more information.
> > 
> > -- 
> > Iain Morgan
> > 

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list