X509 based certificate authentication in OpenSSH

Fri Jun 11 03:29:16 EST 2010

Hi Naitik,

You may want to look at PROTOCOL.certkeys in the OpenSSH source
distribution and at the archive for this mailing list. (www.marc.info is
a good place for the latter.) The call for release testing for the 5.4
release has an overview of the certificate support. And, of course, the
the source code, particularly auth2-pubkey.c, may be of interest.

On Thu, Jun 10, 2010 at 12:00:19 -0500, Dani, Naitik wrote:
> Iain,
> 
> Thanks for your previous reply. I have removed -n option as you asked for and it worked.
> 
> Is there any link which explains how the key/certificate exchange take place (i.e. architecture over view) for Certificate based SSH authentication?
> 
> I would really like to understand the steps that occur when a client tries to connect to a remote host using certificate.
> 
> Once again thanks for helping me with this.
> 
> 1) ssh-keygen -f ca_rsa    --> Generates CA key for signing
> 
> 2) ssh-keygen --> Generates the user key with the default name (id_rsa/.pub)
> 
> 3) ssh-keygen -s ca_rsa -I 2 /u/naitik/.ssh/id_rsa.pub  --> Signs the user key with CA key
> Signed user key /u/naitik/.ssh/id_rsa-cert.pub: id "2" valid forever
> 
> 4) ssh-keygen -Lf /u/naitik/.ssh/id_rsa-cert.pub --> Prints the contents of certificate
> /u/naitik/.ssh/id_rsa-cert.pub:
>         RSA-CERT user certificate 8c:50:f7:43:0a:ef:b3:8e:a9:4e:3f:04:d6:e7:a9:9a
>         Signed by RSA CA ad:82:20:d2:17:f9:09:cb:10:4c:a9:f7:d2:07:7a:e6
>         Key ID "2"
>         Valid: forever
>         Principals: (none)
>         Constraints:
>                 permit-X11-forwarding
>                 permit-agent-forwarding
>                 permit-port-forwarding
>                 permit-pty
>                 permit-user-rc
> 
> 5) cp ca_rsa.pub /u/naitik/.ssh/authorized_keys
> 
> 6) Add cert-authority Tag
> less authorized_keys
> cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnI29TpnhPWSCGQdESr1gyCO3u5bKpm5aZ00TlLEliwz9NaBkwEgIB2oYmILzrqMUI/HdjXH/keBd0acyvJ41jL7dATA0N
> gipNs6O+Zka2ryKsHD9IlfMCTRVXj6/fB4fXmNue6KQmsbVNaZ/Vh2OuHFNr1SJsoHsbXchQmz+jEN2/yM8f8VJBwi02rz4BLFwijEcUFcj3cKm+PVGX3WT9JhAzgHVPZ4tnIorQeb1BRwN0mMR
> Zbh8710Uh7VfJyxN8VXaxfpwphHJVybfkMCMCcpT1vl2KhkmszGg3sAiSVs6BeeLgifXF62qlfGW9VfGXyic+L/ohhDSkaN0AI3t9 root at naitik001<mailto:root at naitik001>
> 
> Naitik Dani
> MTS
> GX Infrastructure HQ
> 
> NetApp
> 724-741-5153 Direct
> Naitik.Dani at netapp.com
> www.netapp.com
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Iain Morgan [mailto:imorgan at nas.nasa.gov]
> > Sent: Wednesday, June 09, 2010 19:40
> > To: Dani, Naitik
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: X509 based certificate authentication in OpenSSH
> >
> > On Wed, Jun 09, 2010 at 15:09:49 -0500, Dani, Naitik wrote:
> > > > particular, there is no need to copy it to remote hosts. You
> > > > would only
> > > > need to copy the public key, user_key.pub, to servers that do not
> > > > support the certificate format, i.e. any older than
> > OpenSSH 5.4 or any
> > > > server using something other than OpenSSH. And you should
> > _never_ copy
> > > > the private key to a remote host.
> > >
> > > Does this mean that, if my servers do support certificate
> > format, i.e.
> > > newer than OpenSSH 5.4, then I need to copy user_key-cert.pub into
> > > ~/.ssh/authorized_keys instead of user_key.pub?
> >
> > No, you _never_ need to add your *-cert.pub file to the
> > ~/.ssh/authorized_keys file. You _only_ need to add the
> > ca_key.pub file
> > with the cert-authority tag. That allows the server to
> > detemine that the
> > certificate (which the client offers during authentication)
> > is signed by
> > a trusted CA.
> >
> > >
> > > I tried that, and the connection failed. Is this the
> > expected behavior
> > > or am I missing something?
> > >
> > > Thanks
> > >
> >
> > Offhand, I'm not sure what the expected behaviour would be if
> > you added
> > user_key-cert.pub to your authorized_keys file.  However, it would not
> > be of any benefit.
> >
> > You may want to try using -v with ssh to see what actually is
> > happening.
> > I suspect that either ssh is not actually using the
> > certificate or that
> > you have a list of principals specified which does not match
> > the account
> > you are trying to authenticate to.
> >
> > You might also want to do 'ssh-keygen -Lf user_key-cert.pub' to verify
> > the parameters that are set for the certificate.
> >
> > If those steps don't shed any light and you have sufficient access to
> > the server, you could check the system logs for further info regarding
> > the authentication attempt. For best results, you may need to set the
> > LogLevel on the server to 'verbose.'
> >
> > --
> > Iain Morgan
> >

-- 
Iain Morgan