X509 based certificate authentication in OpenSSH

Fri Jun 11 03:00:19 EST 2010

Iain,

Thanks for your previous reply. I have removed -n option as you asked
for and it worked.

Is there any link which explains how the key/certificate exchange take
place (i.e. architecture over view) for Certificate based SSH
authentication?

I would really like to understand the steps that occur when a client
tries to connect to a remote host using certificate.

Once again thanks for helping me with this.

1) ssh-keygen -f ca_rsa    --> Generates CA key for signing

2) ssh-keygen --> Generates the user key with the default name
(id_rsa/.pub)

3) ssh-keygen -s ca_rsa -I 2 /u/naitik/.ssh/id_rsa.pub  --> Signs the
user key with CA key
Signed user key /u/naitik/.ssh/id_rsa-cert.pub: id "2" valid forever

4) ssh-keygen -Lf /u/naitik/.ssh/id_rsa-cert.pub --> Prints the contents
of certificate
/u/naitik/.ssh/id_rsa-cert.pub:
        RSA-CERT user certificate
8c:50:f7:43:0a:ef:b3:8e:a9:4e:3f:04:d6:e7:a9:9a
        Signed by RSA CA ad:82:20:d2:17:f9:09:cb:10:4c:a9:f7:d2:07:7a:e6
        Key ID "2"
        Valid: forever
        Principals: (none)
        Constraints:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

5) cp ca_rsa.pub /u/naitik/.ssh/authorized_keys

6) Add cert-authority Tag
less authorized_keys
cert-authority ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnI29TpnhPWSCGQdESr1gyCO3u5bKpm5aZ00TlLEli
wz9NaBkwEgIB2oYmILzrqMUI/HdjXH/keBd0acyvJ41jL7dATA0N
gipNs6O+Zka2ryKsHD9IlfMCTRVXj6/fB4fXmNue6KQmsbVNaZ/Vh2OuHFNr1SJsoHsbXchQ
mz+jEN2/yM8f8VJBwi02rz4BLFwijEcUFcj3cKm+PVGX3WT9JhAzgHVPZ4tnIorQeb1BRwN0
mMR
Zbh8710Uh7VfJyxN8VXaxfpwphHJVybfkMCMCcpT1vl2KhkmszGg3sAiSVs6BeeLgifXF62q
lfGW9VfGXyic+L/ohhDSkaN0AI3t9 root at naitik001 <mailto:root at naitik001> 

Naitik Dani
MTS
GX Infrastructure HQ

NetApp
724-741-5153 Direct
Naitik.Dani at netapp.com
www.netapp.com

> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov
<mailto:imorgan at nas.nasa.gov> ]
> Sent: Wednesday, June 09, 2010 19:40
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
>
> On Wed, Jun 09, 2010 at 15:09:49 -0500, Dani, Naitik wrote:
> > > particular, there is no need to copy it to remote hosts. You
> > > would only
> > > need to copy the public key, user_key.pub, to servers that do not
> > > support the certificate format, i.e. any older than
> OpenSSH 5.4 or any
> > > server using something other than OpenSSH. And you should
> _never_ copy
> > > the private key to a remote host.
> >
> > Does this mean that, if my servers do support certificate
> format, i.e.
> > newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
> > ~/.ssh/authorized_keys instead of user_key.pub?
>
> No, you _never_ need to add your *-cert.pub file to the
> ~/.ssh/authorized_keys file. You _only_ need to add the
> ca_key.pub file
> with the cert-authority tag. That allows the server to
> detemine that the
> certificate (which the client offers during authentication)
> is signed by
> a trusted CA.
>
> >
> > I tried that, and the connection failed. Is this the
> expected behavior
> > or am I missing something?
> >
> > Thanks
> >
>
> Offhand, I'm not sure what the expected behaviour would be if
> you added
> user_key-cert.pub to your authorized_keys file.  However, it would not
> be of any benefit.
>
> You may want to try using -v with ssh to see what actually is
> happening.
> I suspect that either ssh is not actually using the
> certificate or that
> you have a list of principals specified which does not match
> the account
> you are trying to authenticate to.
>
> You might also want to do 'ssh-keygen -Lf user_key-cert.pub' to verify
> the parameters that are set for the certificate.
>
> If those steps don't shed any light and you have sufficient access to
> the server, you could check the system logs for further info regarding
> the authentication attempt. For best results, you may need to set the
> LogLevel on the server to 'verbose.'
>
> --
> Iain Morgan
> 