Some wishes regarding revoked keys

Fri Sep 7 04:12:30 AEST 2018

Hello.

I am trying to play through the following test scenario about 
certificate revocation on Ubuntu 18.04, which has OpenSSH of this version:
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n  7 Dec 2017

1. A CA key is created
ssh-keygen -t ed25519 -f ca

2. The CA public key is added to ~/.ssh/authorized_keys on some server:
cert-authority ssh-ed25519 AAAA...e ca at yoga

3. A user key is created on a different laptop:
ssh-keygen -t ed25519 -f user

4. The CA gets user.pub, signs the user key and applies restrictions, 
then transfers user-cert.pub back to the user's laptop
ssh-keygen -s ca -I user -V 20180906:20180908 -O clear -O permit-pty user
(yes I know, at this point the CA has made a mistake of not specifying 
the unique serial, but still there is a unique ID supplied with "-I 
user", so nothing fatal)

5. The CA destroys its copy of the user.pub and user-cert.pub files, 
because a guide (e.g. https://ef.gy/hardening-ssh) says it is a good idea.

6. The user logs in using the certificate:
ssh -o IdentitiesOnly=yes -o 
PubkeyAcceptedKeyTypes=ssh-ed25519-cert-v01 at openssh.com -i user remote-host

Up to this point, everything works fine.

7. The user's laptop is stolen, the passphrase guessed, and now the 
thief is the only person who has access to the user's private key, 
public key and the certificate. The thief logs into the server. Now the 
admin needs to revoke the certificate (and ideally the certified key 
itself, just in case), based on the available information in the logs.

In the log, with the default verbosity level, there are lines like this:

Sep  6 16:11:07 test-5-9v sshd[13415]: Accepted publickey for user from 
2001:470:<remaining-octets-hidden> port 53104 ssh2: ED25519-CERT ID user 
(serial 0) CA ED25519 SHA256:pN9HcOzg1nDWEpui9Yzjm24kfh6mHWf4ihHVaW4HKe8

I.e. nothing except the id and the serial about the certificate or the 
key itself. The SHA256 fingerprint is that of the CA public key.

At the DEBUG verbosity level, there is also a line that says the SHA256 
fingerprint of the user's (not CA) key:

Sep  6 17:02:03 test-5-9v sshd[13997]: debug1: userauth_pubkey: test 
whether pkalg/pkblob are acceptable for ED25519-CERT 
SHA256:KdBhCunApB01QV7kw/+FsS/BAfnFxpaKCbPVQrzGmrc [preauth]

OK, so the CA needs to revoke a certificate with ID "user" (let's 
suppose it is unique), or key hash SHA256:KdBh..., and no other kind of 
hash is known.

The SHA256 hash is useless, because (at least according to the 
documentation) "ssh-keygen -k" only accepts SHA1 hashes. So let's try 
the ID.

echo 'id: user' | ssh-keygen -k -f revoked_keys -s ca /dev/stdin

OK, after transferring the result to the server and setting the 
RevokedKeys option in sshd_config, it works. But, as an admin, I would 
also like to revoke the key itself (not only the certificate) where I 
can. And I don't have any information to do so - is it because my wish 
is something unreasonable?

If my wish is reasonable, please, in the next versions of OpenSSH:

1. If the user uses a certificate, also log the key fingerprint at the 
default (not debug) verbosity level.

2. Make sure that the logged fingerprint is something that can be 
understood by "ssh-keygen -k".

-- 
Alexander E. Patrakov