Using multiple certificates for a given private key
Ryan Kavanagh
rak at debian.org
Thu Sep 5 10:25:13 EST 2013
Hi,
I'm experimenting with certificates for users, giving access via the
TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of
one certificate per SSH key on the user's side, which prevents using the
same key for hosts using different TrustedUserCAKeys. Is there a clean
way around this?
To make the above clearer, consider the following situation:
A collection of hosts is partitioned into A hosts and B hosts, and we
have a CA key for the A hosts and one for the B hosts. Bob is a special
user and is granted access to hosts in both the A and the B clusters,
and so after sending his id_ecdsa.pub public key to the A and B CA key
maintainers, gets back two id_ecdsa-cert.pub certificates, one granting
him access to the A cluster, the other to the B cluster.
Bob is however stuck in that ssh only looks at the file
~/.ssh/id_ecdsa-cert.pub for a certificate for his id_ecdsa key. If he
puts A's certificate at that location, he can't login to B using B's
certificate, and vice-versa. If he puts both certificates into
~/.ssh/id_ecdsa-cert.pub, ssh only uses the top one.
Is there any resolution for Bob short of making two copies of
~/.ssh/id_ecdsa, ~/.ssh/id_ecdsaA and ~/.ssh/id_ecdsaB, and similarly
for ~/.ssh/id_ecdsa.pub, and placing the A and B certificates at
~/.ssh/id_ecdsaA-cert.pub and ~/.ssh/id_ecdsaB-cert.pub respectively,
thereby creating two copies of the key, each with its own certificate?
Looking at the source code, it looks as though not: key_load_cert
(authfile.c) calls key_try_load_public (authfile.c), which parses
${keyfile}-cert.pub until a key is found, loads it, and returns, thus
ignoring any subsequent certificates in the file. The cert filename is
also hardcoded to be ${keyfile}-cert.pub in key_load_cert.
Best wishes,
Ryan
--
|_)|_/ Ryan Kavanagh | Debian Developer
| \| \ http://ryanak.ca/ | GPG Key 4A11C97A
More information about the openssh-unix-dev
mailing list