X509 based certificate authentication in OpenSSH

Dani, Naitik Naitik.Dani at netapp.com
Fri Jun 11 03:00:19 EST 2010


Thanks for your previous reply. I have removed -n option as you asked
for and it worked.

Is there any link which explains how the key/certificate exchange take
place (i.e. architecture over view) for Certificate based SSH

I would really like to understand the steps that occur when a client
tries to connect to a remote host using certificate.

Once again thanks for helping me with this.

1) ssh-keygen -f ca_rsa    --> Generates CA key for signing

2) ssh-keygen --> Generates the user key with the default name

3) ssh-keygen -s ca_rsa -I 2 /u/naitik/.ssh/id_rsa.pub  --> Signs the
user key with CA key
Signed user key /u/naitik/.ssh/id_rsa-cert.pub: id "2" valid forever

4) ssh-keygen -Lf /u/naitik/.ssh/id_rsa-cert.pub --> Prints the contents
of certificate
        RSA-CERT user certificate
        Signed by RSA CA ad:82:20:d2:17:f9:09:cb:10:4c:a9:f7:d2:07:7a:e6
        Key ID "2"
        Valid: forever
        Principals: (none)

5) cp ca_rsa.pub /u/naitik/.ssh/authorized_keys

6) Add cert-authority Tag
less authorized_keys
cert-authority ssh-rsa
lfGW9VfGXyic+L/ohhDSkaN0AI3t9 root at naitik001 <mailto:root at naitik001> 

Naitik Dani
GX Infrastructure HQ

724-741-5153 Direct
Naitik.Dani at netapp.com

> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov
<mailto:imorgan at nas.nasa.gov> ]
> Sent: Wednesday, June 09, 2010 19:40
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
> On Wed, Jun 09, 2010 at 15:09:49 -0500, Dani, Naitik wrote:
> > > particular, there is no need to copy it to remote hosts. You
> > > would only
> > > need to copy the public key, user_key.pub, to servers that do not
> > > support the certificate format, i.e. any older than
> OpenSSH 5.4 or any
> > > server using something other than OpenSSH. And you should
> _never_ copy
> > > the private key to a remote host.
> >
> > Does this mean that, if my servers do support certificate
> format, i.e.
> > newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
> > ~/.ssh/authorized_keys instead of user_key.pub?
> No, you _never_ need to add your *-cert.pub file to the
> ~/.ssh/authorized_keys file. You _only_ need to add the
> ca_key.pub file
> with the cert-authority tag. That allows the server to
> detemine that the
> certificate (which the client offers during authentication)
> is signed by
> a trusted CA.
> >
> > I tried that, and the connection failed. Is this the
> expected behavior
> > or am I missing something?
> >
> > Thanks
> >
> Offhand, I'm not sure what the expected behaviour would be if
> you added
> user_key-cert.pub to your authorized_keys file.  However, it would not
> be of any benefit.
> You may want to try using -v with ssh to see what actually is
> happening.
> I suspect that either ssh is not actually using the
> certificate or that
> you have a list of principals specified which does not match
> the account
> you are trying to authenticate to.
> You might also want to do 'ssh-keygen -Lf user_key-cert.pub' to verify
> the parameters that are set for the certificate.
> If those steps don't shed any light and you have sufficient access to
> the server, you could check the system logs for further info regarding
> the authentication attempt. For best results, you may need to set the
> LogLevel on the server to 'verbose.'
> --
> Iain Morgan

More information about the openssh-unix-dev mailing list