X509 based certificate authentication in OpenSSH
Dani, Naitik
Naitik.Dani at netapp.com
Thu Jun 10 06:09:49 EST 2010
> particular, there is no need to copy it to remote hosts. You
> would only
> need to copy the public key, user_key.pub, to servers that do not
> support the certificate format, i.e. any older than OpenSSH 5.4 or any
> server using something other than OpenSSH. And you should _never_ copy
> the private key to a remote host.
Does this mean that, if my servers do support certificate format, i.e.
newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
~/.ssh/authorized_keys instead of user_key.pub?
I tried that, and the connection failed. Is this the expected behavior
or am I missing something?
Thanks
Naitik Dani
MTS
GX Infrastructure HQ
NetApp
724-741-5153 Direct
Naitik.Dani at netapp.com
www.netapp.com
> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov]
> Sent: Wednesday, June 09, 2010 13:36
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
>
> Hi Naitik,
>
> One thing I neglected to point out in my earlier off-list response to
> you is that your use of the -n option may create a complication.
> Specifically, using '-n USER' will restrict the certificate to only
> being able to authenticate to a USEr account.
>
> When sshd encounters a certificate that has a non-empty list of
> principals (as specified by the -n option to ssh-keygen), it will
> compare the username of the account being logged into against
> this list.
> If the name of the remote account is not in the list of
> principals, the
> certificate will be rejected.
>
> Other than that caveat, what you have described looks correct.
>
> You don't need to do anything with the -cert.pub file that
> was created.
> Simply keep it in the same directory as the associated private key. In
> particular, there is no need to copy it to remote hosts. You
> would only
> need to copy the public key, user_key.pub, to servers that do not
> support the certificate format, i.e. any older than OpenSSH 5.4 or any
> server using something other than OpenSSH. And you should _never_ copy
> the private key to a remote host.
>
> Simply keep the private key, public key and certificate (user_key,
> user_key.pub, and user_key-cert.pub respectively) in Your ~/.ssh
> directory on the client system. Note that since you chose to use a
> non-default name for the key (and thus the cert) you will need to
> explicitly tell ssh to load the key/cert either with the -i
> command-line
> option or the IdentityFile option in ~/.ssh/config.
>
> On Wed, Jun 09, 2010 at 10:14:41 -0500, Dani, Naitik wrote:
> > I did the following steps to create a certficate, but it
> does not work:
> >
> >
> > 1) Client: ssh-keygen -f ca_key
> > 2) Client: ssh-keygen -f user_key
> > 3) Client: ssh-keygen -s ca_key -I 2 -n USER user_key.pub
> > 4) Server: cp ca_key.pub ~/.ssh/authorized_keys
> > 5) I tagged the entry in authorized_keys as follows with
> > cert-authority, is this correct:
> > cert-authority ssh-rsa
> >
> AAAAB3NzaC1yc2EAAAADAQABAAABAQDscbUTgHMo+bryVqKHbItgd1THR4fVvj
> RdrDd3ZoEo
> >
> oPA8iz/AR9umzn19rAeuRIKRYUnRsslaAVnAji6Hl1To51xoKQuV63cykCM+sm
> xqsEIO8ThG
> >
> eF/oH/HfAnpdDfZ7Lkh2n6n4ixwEygjQ0M9gnAZkyKBoq08rGp3vCZUFRCOTH3
> Xpdsy8kIqF
> > xNdYyGNyLr3RpneSGJ9V99n4UmeUkm0ofVI0BaL0aCe4t1WTHQoeAXJ
> USER at server1
> > 5) Client: ssh USER at server --> it failed
> >
> > What should I do with user_key-cert.pub file which gets
> created in step
> > 3? Where should I copy this file?
> > Do I need to copy user_key/user_key.pub in ~/.ssh/ directory as
> > id_rsa/id_rsa.pub on the server side?
> >
> > Thanks in advance.
> >
> > Naitik Dani
> > MTS
> > GX Infrastructure HQ
> >
> > NetApp
> > 724-741-5153 Direct
> > Naitik.Dani at netapp.com
> > www.netapp.com
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Iain Morgan [mailto:imorgan at nas.nasa.gov]
> > > Sent: Monday, June 07, 2010 19:23
> > > To: Dani, Naitik
> > > Cc: openssh-unix-dev at mindrot.org
> > > Subject: Re: X509 based certificate authentication in OpenSSH
> > >
> > > On Mon, Jun 07, 2010 at 17:04:09 -0500, Dani, Naitik wrote:
> > > > Hello,
> > > >
> > > > I would like to know whether OpenSSH supports x509
> certificate based
> > > > authentication.
> > >
> > > No, although Roumen Petrov maintains a patch that adds
> such support.
> > >
> > > > It looks like OpenSSH has dependency on OpenSSL so does
> > > this mean that
> > > > OpeSSH also supports x509 certificate based authentication.
> > >
> > > No, OpenSSH just uses the low-level cryptographic algorithms from
> > > OpenSSL.
> > >
> > > >
> > > > If it does support, can you please point me to the necessary
> > > > documentation.
> > > >
> > >
> > > The developers have maintained a stance that the
> complexity of X.509
> > > certificates introduces an unacceptable attack surface for sshd.
> > > Instead, they have recently implemented an alternative certificate
> > > format which is much simpler to parse and thus introduces
> > > less risk. See
> > > the various man pages in OpenSSH 5.5 for more information.
> > >
> > > --
> > > Iain Morgan
> > >
>
> --
> Iain Morgan
>
More information about the openssh-unix-dev
mailing list