Use of "no-touch-required" with "cert-authority"
ronf at timeheart.net
Tue Feb 18 09:27:47 AEDT 2020
In testing security key support in OpenSSH 8.2, I had some trouble making the “no-touch-required” option in the authorized_keys file work in conjunction with OpenSSH certificates. I think I’ve figured it out, but I think there may be a bug in ssh-keygen related to this.
To make “no-touch-required” work with certificates, I actually had to do three things:
Generate the security key with touch disabled
Add “no-touch-required” as an extension when generating the certificate for this key
Add “no-touch-required” (along with “cert-authority”) in the authorized key entry on the server for the CA which signed the certificate
I would have expected that trusting a CA in authorized_keys along with the certificate having “no-touch-required” set to be enough to accept the key, without having to further override that explicitly in the authorized_keys entry. However, I can accept that you might want extra confirmation on the server that this certificate option should be trusted. Alternately, once that option was set in authorized_keys, I would have expected keys which don’t require presence to be accepted even without the certificate “no-touch-required” being set, similar to the non-certificate case.
Is that the intended behavior, to reject keys without presence unless BOTH options are set (in addition to the key itself not requiring presence)?
The other issue I ran across is that specifying “-O no-touch-required” when generating the certificate didn’t work, despite that being documented in the man page. It appears that ssh-keygen treats this keyword as an unknown “critical” value, rather than an “extension”. So, the generated certificate ended up looking something like:
no-touch-required UNKNOWN OPTION (len 0)
To get it to be an extension, I had to use “-O extension:no-touch-required” as the option to ssh-keygen. Then, I saw:
Critical Options: (none)
I’m guessing this is not the intended behavior, and that “no-touch-required” should have been recognized as an extension without the “extension:” prefix, just like the other options such as “no-agent-forwarding”.
ronf at timeheart.net
More information about the openssh-unix-dev