Requiring certificate signature and an authorized key to authenticate

Manoj Ampalam manojampalam at live.com
Fri Jun 28 03:54:27 AEST 2019


AFAIK, sshd, by itself, cannot enforce your specific 2FA requirement (one cert + one authorized key). You could potentially leverage AuthorizedKeysCommand. It would probably require maintaining some state (authorized_keys, trusted ca keys, auth attempts) on your own.





________________________________
From: openssh-unix-dev <openssh-unix-dev-bounces+manojampalam=live.com at mindrot.org> on behalf of Erik Johnston <erikj-openssh at jki.re>
Sent: Tuesday, June 25, 2019 10:22:55 AM
To: openssh-unix-dev at mindrot.org
Subject: Requiring certificate signature and an authorized key to authenticate

Hey everyone,

Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)?

The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key.

The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless.

Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong.


Thanks,
Erik
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=02%7C01%7C%7Cf231135f471049fd07e908d6f991f2b5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636970802567816448&sdata=%2F4zOz7AZiau%2BN2o5X92cgYt8QQ6PU1APwr%2B5e8wfC2Q%3D&reserved=0


More information about the openssh-unix-dev mailing list