Use of "no-touch-required" with "cert-authority"

Ron Frederick ronf at timeheart.net
Tue Feb 18 09:27:47 AEDT 2020 

Hello,

In testing security key support in OpenSSH 8.2, I had some trouble making the “no-touch-required” option in the authorized_keys file work in conjunction with OpenSSH certificates. I think I’ve figured it out, but I think there may be a bug in ssh-keygen related to this.

To make “no-touch-required” work with certificates, I actually had to do three things:

Generate the security key with touch disabled
Add “no-touch-required” as an extension when generating the certificate for this key
Add “no-touch-required” (along with “cert-authority”) in the authorized key entry on the server for the CA which signed the certificate

I would have expected that trusting a CA in authorized_keys along with the certificate having “no-touch-required” set to be enough to accept the key, without having to further override that explicitly in the authorized_keys entry. However, I can accept that you might want extra confirmation on the server that this certificate option should be trusted. Alternately, once that option was set in authorized_keys, I would have expected keys which don’t require presence to be accepted even without the certificate “no-touch-required” being set, similar to the non-certificate case.

Is that the intended behavior, to reject keys without presence unless BOTH options are set (in addition to the key itself not requiring presence)?

The other issue I ran across is that specifying “-O no-touch-required” when generating the certificate didn’t work, despite that being documented in the man page. It appears that ssh-keygen treats this keyword as an unknown “critical” value, rather than an “extension”. So, the generated certificate ended up looking something like:

        Critical Options: 
                no-touch-required UNKNOWN OPTION (len 0)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

To get it to be an extension, I had to use “-O extension:no-touch-required” as the option to ssh-keygen. Then, I saw:

        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
                no-touch-required

I’m guessing this is not the intended behavior, and that “no-touch-required” should have been recognized as an extension without the “extension:” prefix, just like the other options such as “no-agent-forwarding”.
-- 
Ron Frederick
ronf at timeheart.net

More information about the openssh-unix-dev mailing list