CertificateFile handling with IdentitiesOnly=yes where ProxyCommand provides the certificate
Eric N. Vander Weele
ericvw at gmail.com
Fri May 5 20:42:11 AEST 2023
Hello,
I encountered an unexpected behavior when the ProxyCommand adds keys to
ssh-agent and provides files specified by paths in IdentifyFile and
CertificateFile when IdentitiesOnly=yes is set. I am reaching out to
confirm whether this behavior works as designed or if there is an
opportunity to change the certificate file handling for this use case
(details below).
When ~/.ssh/config contains:
Host nodename
IdentityFile "~/.tsh/keys/teleport-proxy-url.com/username at email.com"
CertificateFile "~/.tsh/keys/
teleport-proxy-url.com/username at email.com-ssh/teleport-proxy-url.com-cert.pub
"
ProxyCommand tsh proxy ssh --cluster=teleport-proxy-url.com --proxy=
teleport-proxy-url.com%r@%h:%p
IdentitiesOnly yes
The desired behavior when invoking 'ssh nodename` is that the invocation of
ProxyCommand runs 'tsh proxy ssh ...', which opens the browser for single
sign-on, provides the identity and certificate files, and loads them into
ssh-agent. Then there should be a transparent ssh connection to "nodename."
However, what ends up happening is "Permission denied (publickey)."
When digging into this, ssh.c:load_public_identity_files detects that
IdentityFile and CertificateFile don't exist. Then in
sshconnect2.c:pubkey_prepare, the keys are in the ssh-agent; however, since
the IdentitiesOnly=yes, the keys don't get loaded into the preferred nor
agent list. Next, when sshconnect2.c:userauth_pubkey is called, it will
attempt to re-read the private key, which subsequently fails because the
server was also expecting the certificate. This explains, "Permission
denied (publickey)."
I would like to use Teleport with IdentitiesOnly=yes, and I was considering
modifying sshconnect2.c:pubkey_prepare to attempt loading the files there
to support this use case. Before proposing a patch, I wanted to check with
the maintainers if this would be a desirable behavior change. If so, I
would appreciate guidance on where you would prefer such a change. If this
works as designed, that works for me, and I'll adjust my ssh configuration
accordingly.
Eric N. Vander Weele
More information about the openssh-unix-dev
mailing list