Help with CA Certificates for user authentication?

Iain Morgan imorgan at nas.nasa.gov
Sat Nov 5 03:30:43 EST 2011 

Using certificates does not bypass the need for a passphrase. For both
certificate and public-key authentication, the candidate key or
certificate is first presented to the server to see if it will be
accepted. If the server is willing to accept the key or cert, you then
move on to the stage where an actual signature is required.

Note that just as with conventional public-key authentication, you can
use ssh-agent to avoid having to enter the passphrase every time.

On Thu, Nov 03, 2011 at 22:00:52 -0500, wfdawson wrote:
> Hi,
> 
> Thanks for your feedback.
> 
> 
> I tried setting the principal in the cert to be simply the username of the test account.  I also set the AuthorizedPrincipalsFile to point to the users' .ssh/authorized_principals rather than a system-wide file, and confirmed the file permissions on the test user's .ssh/authorized_principals file.  Still, no success.
> 
> I found the instructions here on authenticating ssh server host key to be helpful:
> 
> http://justanothergeek.chdir.org/2011/07/howto-authenticate-ssh-server-through.html
> 
> Here's a link to some notes about my testing.  I would be most happy if anyone would give some advice after viewing it.  I appreciate, it is not an easy read.
> 
> http://pastebin.com/91tV8Pii
> 
> An interesting tidbit from the server session:
> 
> Authentication tried for test with correct key but not from a permitted host (host=172.31.43.3, ip=172.31.43.3).
> 
> I found someone else with this issue (or similar):
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=666977
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607602
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607369
> 
> 
> Though that seems important, I'm able to get past it.  If I make ~test/.ssh/authorized_principals simple so that it contains a single line consisting simple of:
> 
> test
> 
> ... corresponding to the actual principal in the user's certificate signature, the result is cleaner, but still not successful in authenticating the test user with only the CA cert signed public signature file:
> 
> debug1: trying authorized principals file /home1/test/.ssh/authorized_principals
> debug1: fd 5 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
> Postponed publickey for test from 172.31.43.3 port 1866 ssh2
> 
> 
> At that point, the user is presented with a prompt to provide his private key passphrase:
> 
> debug3: key_from_blob(..., ...) ktype=ssh-rsa
> debug1: ssh_rsa_verify: signature correct
> debug2: input_userauth_pk_ok: fp 25:cb:6b:60:d6:19:ff:ac:8d:62:21:fa:c0:96:bc:0f
> debug3: sign_and_send_pubkey: RSA-CERT 25:cb:6b:60:d6:19:ff:ac:8d:62:21:fa:c0:96:bc:0f
> debug1: read PEM private key begin
> debug1: key_parse_private_pem: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> Enter passphrase for key '/home/test/.ssh/id_rsa':
> 
> 
> 
> So, I'm stuck here... :-( ... as my goal is to authenticate the user without his needing to enter his private key passphrase.
> 
> I'm beginning to believe I have misread or misunderstood the functionality that I thought was here...  is this possible (to authenticate based on the user's public key having been signed by a trusted CA, or must the user also provide his private key passphrase just as was the case before OpenSSH CA Certificates?
> 
> 
> 
> 
> ________________________________
> From: Iain Morgan <imorgan at nas.nasa.gov>
> To: wfdawson <wfdawson at bellsouth.net>
> Cc: "openssh-unix-dev at mindrot.org" <openssh-unix-dev at mindrot.org>
> Sent: Thursday, November 3, 2011 1:35 PM
> Subject: Re: Help with CA Certificates for user authentication?
> 
> Hello,
> 
> What happens if you set the principal in the certificate to simply be
> the username of the test account?
> 
> I suspect that you have a permissions issue with your
> authorized_principals file. Remember that it is read using the user's
> permissions and thus must be readable by the user.
> 
> --
> Iain Morgan
> 
> On Thu, Nov 03, 2011 at 01:50:46 -0500, wfdawson wrote:
> > As background, I read:
> >
> > http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
> > http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
> > http://bryanhinton.com/blog/openssh-security
> > http://www.linuxhowtos.org/manpages/5/sshd_config.htm
> > http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=120&prodSeriesId=4164814&prodTypeId=18964&objectID=c02838205
> > http://www.gossamer-threads.com/lists/openssh/users/50165
> >
> >
> > I'm to use SSH CA certificate for user authentication, but not getting quite "there."
> >
> > I created a signing cert and used it to sign the test user's public key:
> >
> > ssh-keygen -s /etc/ssh/ca_rsa -I test -n test at 172.31.43.3 -z 3 /home/test/.ssh/id_rsa.pub
> >
> > On my test server, the sshd_config details:
> >
> > Port 2022
> > HostKey /etc/sshtest/ssh_host_key
> > HostKey /etc/sshtest/ssh_host_rsa_key
> > HostKey /etc/sshtest/ssh_host_dsa_key
> > HostKey /etc/sshtest/ssh_host_ecdsa_key
> > MaxAuthTries 3
> > AuthorizedKeysFile????? /etc/sshtest/authorized_keys
> > PasswordAuthentication no
> > X11Forwarding yes
> > X11DisplayOffset 10
> > X11UseLocalhost yes
> > UseDNS no
> > Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server
> > TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys
> > AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals
> >
> > The /etc/sshtest/authorized_principals file contains one line:
> >
> > test at 172.31.43.3
> >
> > I attempt to connect to the target server from the test client:
> >
> > $ ssh -vvv -Y -p 2022 -l test 172.31.44.115
> >
> >
> > There is verbose output, which mostly seems right until (on the client):
> >
> >
> > debug1: ssh_rsa_verify: signature correct
> > debug2: input_userauth_pk_ok: fp c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> > debug3: sign_and_send_pubkey: RSA-CERT c9:42:44:91:48:04:45:b2:ee:93:12:3f:e5:89:13:ab
> > debug1: read PEM private key begin
> > debug1: key_parse_private_pem: PEM_read_PrivateKey failed
> > debug1: read PEM private key done: type <unknown>
> > Enter passphrase for key '/home/test/.ssh/id_rsa':
> >
> > ...and, correspondingly on the server:
> >
> > debug1: KEX done
> > debug1: userauth-request for user test service ssh-connection method none
> > debug1: attempt 0 failures 0
> > debug1: userauth-request for user test service ssh-connection method publickey
> > debug1: attempt 1 failures 0
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying public key file /etc/sshtest/authorized_keys
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying public key file /etc/sshtest/authorized_keys
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > Failed publickey for test from 172.31.43.3 port 2991 ssh2
> > debug1: userauth-request for user test service ssh-connection method publickey
> > debug1: attempt 2 failures 1
> > debug1: ssh_rsa_verify: signature correct
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: ssh_rsa_verify: signature correct
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying authorized principals file /etc/sshtest/authorized_principals
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > Certificate does not contain an authorized principal
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying public key file /etc/sshtest/authorized_keys
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying public key file /etc/sshtest/authorized_keys
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > Failed publickey for test from 172.31.43.3 port 2991 ssh2
> > debug1: userauth-request for user test service ssh-connection method publickey
> > debug1: attempt 3 failures 2
> > debug1: ssh_rsa_verify: signature correct
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: ssh_rsa_verify: signature correct
> > debug1: temporarily_use_uid: 63203/54000 (e=0/0)
> > debug1: trying authorized principals file /etc/sshtest/authorized_principals
> > debug1: fd 5 clearing O_NONBLOCK
> > debug1: restore_uid: 0/0
> > Accepted certificate ID "test" signed by RSA CA e5:04:98:2c:95:d3:b2:21:01:f3:5c:16:63:99:67:db via /etc/sshtest/ssh_cakeys
> > Postponed publickey for test from 172.31.43.3 port 2991 ssh2
> >
> > At this point, I have to enter the test user's passphrase.? This is not what I expect... I was rather hoping to avoid entering credentials...
> >
> >
> > Any suggestions?
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> --
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list