X509 based certificate authentication in OpenSSH

Iain Morgan imorgan at nas.nasa.gov
Thu Jun 10 09:40:08 EST 2010

On Wed, Jun 09, 2010 at 15:09:49 -0500, Dani, Naitik wrote:
> > particular, there is no need to copy it to remote hosts. You 
> > would only
> > need to copy the public key, user_key.pub, to servers that do not
> > support the certificate format, i.e. any older than OpenSSH 5.4 or any
> > server using something other than OpenSSH. And you should _never_ copy
> > the private key to a remote host.
> Does this mean that, if my servers do support certificate format, i.e.
> newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
> ~/.ssh/authorized_keys instead of user_key.pub?

No, you _never_ need to add your *-cert.pub file to the
~/.ssh/authorized_keys file. You _only_ need to add the ca_key.pub file
with the cert-authority tag. That allows the server to detemine that the
certificate (which the client offers during authentication) is signed by
a trusted CA.

> I tried that, and the connection failed. Is this the expected behavior
> or am I missing something?
> Thanks

Offhand, I'm not sure what the expected behaviour would be if you added
user_key-cert.pub to your authorized_keys file.  However, it would not
be of any benefit.

You may want to try using -v with ssh to see what actually is happening.
I suspect that either ssh is not actually using the certificate or that
you have a list of principals specified which does not match the account
you are trying to authenticate to.

You might also want to do 'ssh-keygen -Lf user_key-cert.pub' to verify
the parameters that are set for the certificate.

If those steps don't shed any light and you have sufficient access to
the server, you could check the system logs for further info regarding
the authentication attempt. For best results, you may need to set the
LogLevel on the server to 'verbose.'

Iain Morgan

More information about the openssh-unix-dev mailing list