X509 based certificate authentication in OpenSSH
Naitik.Dani at netapp.com
Fri Jun 11 03:00:19 EST 2010
Thanks for your previous reply. I have removed -n option as you asked
for and it worked.
Is there any link which explains how the key/certificate exchange take
place (i.e. architecture over view) for Certificate based SSH
I would really like to understand the steps that occur when a client
tries to connect to a remote host using certificate.
Once again thanks for helping me with this.
1) ssh-keygen -f ca_rsa --> Generates CA key for signing
2) ssh-keygen --> Generates the user key with the default name
3) ssh-keygen -s ca_rsa -I 2 /u/naitik/.ssh/id_rsa.pub --> Signs the
user key with CA key
Signed user key /u/naitik/.ssh/id_rsa-cert.pub: id "2" valid forever
4) ssh-keygen -Lf /u/naitik/.ssh/id_rsa-cert.pub --> Prints the contents
RSA-CERT user certificate
Signed by RSA CA ad:82:20:d2:17:f9:09:cb:10:4c:a9:f7:d2:07:7a:e6
Key ID "2"
5) cp ca_rsa.pub /u/naitik/.ssh/authorized_keys
6) Add cert-authority Tag
lfGW9VfGXyic+L/ohhDSkaN0AI3t9 root at naitik001 <mailto:root at naitik001>
GX Infrastructure HQ
Naitik.Dani at netapp.com
> -----Original Message-----
> From: Iain Morgan [mailto:imorgan at nas.nasa.gov
<mailto:imorgan at nas.nasa.gov> ]
> Sent: Wednesday, June 09, 2010 19:40
> To: Dani, Naitik
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: X509 based certificate authentication in OpenSSH
> On Wed, Jun 09, 2010 at 15:09:49 -0500, Dani, Naitik wrote:
> > > particular, there is no need to copy it to remote hosts. You
> > > would only
> > > need to copy the public key, user_key.pub, to servers that do not
> > > support the certificate format, i.e. any older than
> OpenSSH 5.4 or any
> > > server using something other than OpenSSH. And you should
> _never_ copy
> > > the private key to a remote host.
> > Does this mean that, if my servers do support certificate
> format, i.e.
> > newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
> > ~/.ssh/authorized_keys instead of user_key.pub?
> No, you _never_ need to add your *-cert.pub file to the
> ~/.ssh/authorized_keys file. You _only_ need to add the
> ca_key.pub file
> with the cert-authority tag. That allows the server to
> detemine that the
> certificate (which the client offers during authentication)
> is signed by
> a trusted CA.
> > I tried that, and the connection failed. Is this the
> expected behavior
> > or am I missing something?
> > Thanks
> Offhand, I'm not sure what the expected behaviour would be if
> you added
> user_key-cert.pub to your authorized_keys file. However, it would not
> be of any benefit.
> You may want to try using -v with ssh to see what actually is
> I suspect that either ssh is not actually using the
> certificate or that
> you have a list of principals specified which does not match
> the account
> you are trying to authenticate to.
> You might also want to do 'ssh-keygen -Lf user_key-cert.pub' to verify
> the parameters that are set for the certificate.
> If those steps don't shed any light and you have sufficient access to
> the server, you could check the system logs for further info regarding
> the authentication attempt. For best results, you may need to set the
> LogLevel on the server to 'verbose.'
> Iain Morgan
More information about the openssh-unix-dev