X509 based certificate authentication in OpenSSH

Dani, Naitik Naitik.Dani at netapp.com
Thu Jun 10 06:09:49 EST 2010 

> particular, there is no need to copy it to remote hosts. You 
> would only
> need to copy the public key, user_key.pub, to servers that do not
> support the certificate format, i.e. any older than OpenSSH 5.4 or any
> server using something other than OpenSSH. And you should _never_ copy
> the private key to a remote host.

Does this mean that, if my servers do support certificate format, i.e.
newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
~/.ssh/authorized_keys instead of user_key.pub?

I tried that, and the connection failed. Is this the expected behavior
or am I missing something?

Thanks

Naitik Dani
MTS
GX Infrastructure HQ

NetApp
724-741-5153 Direct
Naitik.Dani at netapp.com
www.netapp.com



 

> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov] 
> Sent: Wednesday, June 09, 2010 13:36
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
> 
> Hi Naitik,
> 
> One thing I neglected to point out in my earlier off-list response to
> you is that your use of the -n option may create a complication.
> Specifically, using '-n USER' will restrict the certificate to only
> being able to authenticate to a USEr account.
> 
> When sshd encounters a certificate that has a non-empty list of
> principals (as specified by the -n option to ssh-keygen), it will
> compare the username of the account being logged into against 
> this list.
> If the name of the remote account is not in the list of 
> principals, the
> certificate will be rejected.
> 
> Other than that caveat, what you have described looks correct.
> 
> You don't need to do anything with the -cert.pub file that 
> was created.
> Simply keep it in the same directory as the associated private key. In
> particular, there is no need to copy it to remote hosts. You 
> would only
> need to copy the public key, user_key.pub, to servers that do not
> support the certificate format, i.e. any older than OpenSSH 5.4 or any
> server using something other than OpenSSH. And you should _never_ copy
> the private key to a remote host.
> 
> Simply keep the private key, public key and certificate (user_key,
> user_key.pub, and user_key-cert.pub respectively) in Your ~/.ssh
> directory on the client system. Note that since you chose to use a
> non-default name for the key (and thus the cert) you will need to
> explicitly tell ssh to load the key/cert either with the -i 
> command-line
> option or the IdentityFile option in ~/.ssh/config.
> 
> On Wed, Jun 09, 2010 at 10:14:41 -0500, Dani, Naitik wrote:
> > I did the following steps to create a certficate, but it 
> does not work:
> > 
> > 
> >   1) Client: ssh-keygen -f ca_key
> >   2) Client: ssh-keygen -f user_key
> >   3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub
> >   4) Server: cp ca_key.pub ~/.ssh/authorized_keys
> >   5) I tagged the entry in authorized_keys as follows with
> > cert-authority, is this correct:
> > cert-authority ssh-rsa
> > 
> AAAAB3NzaC1yc2EAAAADAQABAAABAQDscbUTgHMo+bryVqKHbItgd1THR4fVvj
> RdrDd3ZoEo
> > 
> oPA8iz/AR9umzn19rAeuRIKRYUnRsslaAVnAji6Hl1To51xoKQuV63cykCM+sm
> xqsEIO8ThG
> > 
> eF/oH/HfAnpdDfZ7Lkh2n6n4ixwEygjQ0M9gnAZkyKBoq08rGp3vCZUFRCOTH3
> Xpdsy8kIqF
> > xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ 
> USER at server1  
> >   5) Client: ssh USER at server --> it failed
> > 
> > What should I do with user_key-cert.pub file which gets 
> created in step
> > 3? Where should I copy this file?
> > Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as
> > id_rsa/id_rsa.pub on the server side?
> > 
> > Thanks in advance.
> > 
> > Naitik Dani
> > MTS
> > GX Infrastructure HQ
> > 
> > NetApp
> > 724-741-5153 Direct
> > Naitik.Dani at netapp.com
> > www.netapp.com
> > 
> > 
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Iain Morgan [mailto:imorgan at nas.nasa.gov] 
> > > Sent: Monday, June 07, 2010 19:23
> > > To: Dani, Naitik
> > > Cc: openssh-unix-dev at mindrot.org
> > > Subject: Re: X509 based certificate authentication in OpenSSH
> > > 
> > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > > > Hello,
> > > > 
> > > > I would like to know whether OpenSSH supports x509 
> certificate based
> > > > authentication.
> > > 
> > > No, although Roumen Petrov maintains a patch that adds 
> such support.
> > > 
> > > > It looks like OpenSSH has dependency on OpenSSL so does 
> > > this mean that
> > > > OpeSSH also supports x509 certificate based authentication.
> > > 
> > > No, OpenSSH just uses the low-level cryptographic algorithms from
> > > OpenSSL.
> > > 
> > > > 
> > > > If it does support, can you please point me to the necessary
> > > > documentation. 
> > > > 
> > > 
> > > The developers have maintained a stance that the 
> complexity of X.509
> > > certificates introduces an unacceptable attack surface for sshd.
> > > Instead, they have recently implemented an alternative certificate
> > > format which is much simpler to parse and thus introduces 
> > > less risk. See
> > > the various man pages in OpenSSH 5.5 for more information.
> > > 
> > > -- 
> > > Iain Morgan
> > > 
> 
> -- 
> Iain Morgan
>

More information about the openssh-unix-dev mailing list