Help with CA Certificates for user authentication?

[wfdawson]

Hi,

Thanks for your feedback.


I tried setting the principal in the cert to be simply the username of the test account.  I also set the AuthorizedPrincipalsFile to point to the users' .ssh/authorized_principals rather than a system-wide file, and confirmed the file permissions on the test user's .ssh/authorized_principals file.  Still, no success.

I found the instructions here on authenticating ssh server host key to be helpful:

http://justanothergeek.chdir.org/2011/07/howto-authenticate-ssh-server-through.html

Here's a link to some notes about my testing.  I would be most happy if anyone would give some advice after viewing it.  I appreciate, it is not an easy read.

http://pastebin.com/91tV8Pii

An interesting tidbit from the server session:

Authentication tried for test with correct key but not from a permitted host (host=172.31.43.3, ip=172.31.43.3).

I found someone else with this issue (or similar):

https://bugzilla.redhat.com/show_bug.cgi?id=666977
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607602
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607369


Though that seems important, I'm able to get past it.  If I make ~test/.ssh/authorized_principals simple so that it contains a single line consisting simple of:

test

... corresponding to the actual principal in the user's certificate signature, the result is cleaner, but still not successful in authenticating the test user with only the CA cert signed public signature file:

debug1: trying authorized principals file /home1/test/.ssh/authorized_principals
debug1: fd 5 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
Postponed publickey for test from 172.31.43.3 port 1866 ssh2


At that point, the user is presented with a prompt to provide his private key passphrase:

debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: ssh_rsa_verify: signature correct
debug2: input_userauth_pk_ok: fp 25:cb:6b:60:d6:19:ff:ac:8d:62:21:fa:c0:96:bc:0f
debug3: sign_and_send_pubkey: RSA-CERT 25:cb:6b:60:d6:19:ff:ac:8d:62:21:fa:c0:96:bc:0f
debug1: read PEM private key begin
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/test/.ssh/id_rsa': 



So, I'm stuck here... :-( ... as my goal is to authenticate the user without his needing to enter his private key passphrase.

I'm beginning to believe I have misread or misunderstood the functionality that I thought was here...  is this possible (to authenticate based on the user's public key having been signed by a trusted CA, or must the user also provide his private key passphrase just as was the case before OpenSSH CA Certificates?




________________________________
From: Iain Morgan <imorgan at nas.nasa.gov>
To: wfdawson <wfdawson at bellsouth.net>
Cc: "openssh-unix-dev at mindrot.org" <openssh-unix-dev at mindrot.org>
Sent: Thursday, November 3, 2011 1:35 PM
Subject: Re: Help with CA Certificates for user authentication?

Hello,

What happens if you set the principal in the certificate to simply be
the username of the test account?

I suspect that you have a permissions issue with your
authorized_principals file. Remember that it is read using the user's
permissions and thus must be readable by the user.

-- 
Iain Morgan

On Thu, Nov 03, 2011 at 01:50:46 -0500, wfdawson wrote:
> As background, I read:
> 
> http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
> http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
> http://bryanhinton.com/blog/openssh-security
> http://www.linuxhowtos.org/manpages/5/sshd_config.htm
> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=120&prodSeriesId=4164814&prodTypeId=18964&objectID=c02838205
> http://www.gossamer-threads.com/lists/openssh/users/50165
> 
> 
> I'm to use SSH CA certificate for user authentication, but not getting quite "there."
> 
> I created a signing cert and used it to sign the test user's public key:
> 
> ssh-keygen -s /etc/ssh/ca_rsa -I test -n test at 172.31.43.3 -z 3 /home/test/.ssh/id_rsa.pub
> 
> On my test server, the sshd_config details:
> 
> Port 2022
> HostKey /etc/sshtest/ssh_host_key
> HostKey /etc/sshtest/ssh_host_rsa_key
> HostKey /etc/sshtest/ssh_host_dsa_key
> HostKey /etc/sshtest/ssh_host_ecdsa_key
> MaxAuthTries 3
> AuthorizedKeysFile????? /etc/sshtest/authorized_keys
> PasswordAuthentication no
> X11Forwarding yes
> X11DisplayOffset 10
> X11UseLocalhost yes
> UseDNS no
> Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server
> TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys
> AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals
> 
> The /etc/sshtest/authorized_principals file contains one line:
> 
> test at 172.31.43.3
> 
> I attempt to connect to the target server from the test client:
> 
> $ ssh -vvv -Y -p 2022 -l test 172.31.44.115
> 
> 
> There is verbose output, which mostly seems right until (on the client):
> 
> 
> debug1: ssh_rsa_verify: signature correct
> debug2: input_userauth_pk_ok: fp c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> debug3: sign_and_send_pubkey: RSA-CERT c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> debug1: read PEM private key begin
> debug1: key_parse_private_pem: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> Enter passphrase for key '/home/test/.ssh/id_rsa':
> 
> ...and, correspondingly on the server:
> 
> debug1: KEX done
> debug1: userauth-request for user test service ssh-connection method none
> debug1: attempt 0 failures 0
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 1 failures 0
> debug1: test whether pkalg/pkblob are acceptable
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Failed publickey for test from 172.31.43.3 port 2991 ssh2
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 2 failures 1
> debug1: ssh_rsa_verify: signature correct
> debug1: test whether pkalg/pkblob are acceptable
> debug1: ssh_rsa_verify: signature correct
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying authorized principals file /etc/sshtest/authorized_principals
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Certificate does not contain an authorized principal
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying public key file /etc/sshtest/authorized_keys
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Failed publickey for test from 172.31.43.3 port 2991 ssh2
> debug1: userauth-request for user test service ssh-connection method publickey
> debug1: attempt 3 failures 2
> debug1: ssh_rsa_verify: signature correct
> debug1: test whether pkalg/pkblob are acceptable
> debug1: ssh_rsa_verify: signature correct
> debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> debug1: trying authorized principals file /etc/sshtest/authorized_principals
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
> Postponed publickey for test from 172.31.43.3 port 2991 ssh2
> 
> At this point, I have to enter the test user's passphrase.? This is not what I expect... I was rather hoping to avoid entering credentials...
> 
> 
> Any suggestions?
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan