Mailing List Archive

ssh certificate usage
I am trying to find out how I can use the new self-signed certificates
So what I read in the man pages, it should be something like:

client:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

Server(s):
2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
location you like

3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it

Client:
4) for a user generate a certificate of its public key
ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
This will generate an id_rsa-cert.pub certificate file

Client:
5) ssh user@server # connect to server using the certificate

Is this correct or did I miss something ?

Is it also possible to disable the plain public key authentication and
only accept certificate authentication (can't find an option for this
in sshd_config)

thx

Hans
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
On Tue, Apr 27, 2010 at 13:49:19 -0500, Hans wrote:
> I am trying to find out how I can use the new self-signed certificates
> So what I read in the man pages, it should be something like:
>
> client:
> 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate
>
> Server(s):
> 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
> TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
> location you like

TrustedUserCAKeys is really intended for specifying system-wide CA keys
such as you would use if your organization were generating certs for
users. For user-generated certs, you would simply add the appropriate
entry to the user's ~/.ssh/authorized_keys file on the servers.

Note that using TrustedUserCAKeys also impacts how the user certificate
is generated. If you use TrustedUserCAKeys, the certificates MUST have a
principal specified.

>
> 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it
>
> Client:
> 4) for a user generate a certificate of its public key
> ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
> This will generate an id_rsa-cert.pub certificate file
>
> Client:
> 5) ssh user@server # connect to server using the certificate
>
> Is this correct or did I miss something ?

Other than the comment above regarding the use of TrustedUserCAKeys,
this looks reasonable. Note that with user-generated certs, the CA
should really be listed in the user's ~/.ssh/authorized_keys file and
should have the 'cert-authority' tag.

>
> Is it also possible to disable the plain public key authentication and
> only accept certificate authentication (can't find an option for this
> in sshd_config)

Since certificate-based authentication is really just an extension to
classic public-key authentication, you can't turn off public-key auth
without also turning off certificate support.

However, if you are using a centralized CA (and thus TrustedUserCAKeys),
you could effectively disable classic pubkey auth by specifying a
different path for the authorized_keys file, i.e.:

AuthorizedKeysFile /dev/null

or

AuthorizedKeysFile /etc/ssh/authorized_keys/%u

The latter would make it possible to have exceptions to the general
case.

>
> thx
>
> Hans
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
On Tue, 27 Apr 2010, Hans wrote:

> I am trying to find out how I can use the new self-signed certificates
> So what I read in the man pages, it should be something like:
>
> client:
> 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate
>
> Server(s):
> 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
> TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
> location you like
>
> 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it
>
> Client:
> 4) for a user generate a certificate of its public key
> ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
> This will generate an id_rsa-cert.pub certificate file
>
> Client:
> 5) ssh user@server # connect to server using the certificate
>
> Is this correct or did I miss something ?

That is it in a nutshell. You should specify a validity period for the
certificates in step #3. Since our revocation implementation is weak at
the moment, it is best to use short-lived certificates that are refreshed
frequently (and hopefully through an easy process for the user).

Also, if you want to try out certificates without touching sshd_config
(e.g. if you don't have superuser access), then you can specify trusted
CA keys on a per-user basis in authorized_keys using the "cert-authority"
key option:

cert-authority ssh-rsa AAA.....

> Is it also possible to disable the plain public key authentication and
> only accept certificate authentication (can't find an option for this
> in sshd_config)

You can set AuthorizedKeysFile to /dev/null, so sshd will never find
any regular keys there. This can be done on a per-user/group/address
basis using the Match keyword.

As you are probably aware, the certificate support is very new and I'd
love to hear any feedback or criticism you may have.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
>> Is this correct or did I miss something ?
>
> That is it in a nutshell. You should specify a validity period for the
> certificates in step #3. Since our revocation implementation is weak at
> the moment, it is best to use short-lived certificates that are refreshed
> frequently
Yes, I kept the example as simple as possiible without any of the
other possible restrictions.

> (and hopefully through an easy process for the user).
that will be a challenge...

But the advantage for using certificates is that you can add
restrictions to them and
even better you don't have to distribute the public keys to the
correct system for each user.
Only the ca puiblic key should be once put in the TrustedUserCAKeys file

> You can set AuthorizedKeysFile to /dev/null, so sshd will never find
> any regular keys there. This can be done on a per-user/group/address
> basis using the Match keyword.

That is the one I missed, otherwise users could connect once using the
certificate,
put there plain public key in the .ssh/authorized_keys2 and remove
their cert pub key and make connections without the restrictions.

So it looks mandatory to me if you use TrustedUserCAKeys to disable
also AuthorizedKeysFile
for the selected users or groups.

> As you are probably aware, the certificate support is very new and I'd
> love to hear any feedback or criticism you may have.

Until so far I like it :)
Have to check still the possible restrictions and how the ssh-agent is
handling the cert pub keys

Hans
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
On Wed, 28 Apr 2010, Hans wrote:

> > You can set AuthorizedKeysFile to /dev/null, so sshd will never find
> > any regular keys there. This can be done on a per-user/group/address
> > basis using the Match keyword.
>
> That is the one I missed, otherwise users could connect once using the
> certificate,
> put there plain public key in the .ssh/authorized_keys2 and remove
> their cert pub key and make connections without the restrictions.

oops, it seems I'm mistaken about selecting AuthorizedKeysFile through
Match - it isn't supported. I just filed
https://bugzilla.mindrot.org/show_bug.cgi?id=1764 to add it.

> > As you are probably aware, the certificate support is very new and I'd
> > love to hear any feedback or criticism you may have.
>
> Until so far I like it :)
> Have to check still the possible restrictions and how the ssh-agent is
> handling the cert pub keys

ssh-agent should accept add requests for certified keys and should sign
them correctly. Certified keys should be added automatically by ssh-add
if they are named XXX-cert.pub to a corresponding private key file. This
is essentially the same way that ssh(1) uses them.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
>
> oops, it seems I'm mistaken about selecting AuthorizedKeysFile through
> Match - it isn't supported. I just filed
> https://bugzilla.mindrot.org/show_bug.cgi?id=1764 to add it.
>

Thx

The principals now only support user and host (or a list of)
Is it possible that the principal can also be used for a user group

Hans
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
On Wed, 28 Apr 2010, Hans Harder wrote:

> >
> > oops, it seems I'm mistaken about selecting AuthorizedKeysFile through
> > Match - it isn't supported. I just filed
> > https://bugzilla.mindrot.org/show_bug.cgi?id=1764 to add it.
>
> The principals now only support user and host (or a list of)
> Is it possible that the principal can also be used for a user group

How would you invisage that would work?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh certificate usage [ In reply to ]
>> The principals now only support user and host (or a list of)
>> Is it possible that the principal can also be used for a user group
>
> How would you invisage that would work?

Same as the match group in sshd_config

That way I can assign the users to a special group which uses certificates only
In the sshd_config I then can use the match group to deny
kbinteractive and set the AuthorizedKeysFile to null with one line.

Otherwise I will keep on changing the sshd_config and need to add new
certificates in the TrustedUserCAKeys file on all the systems for new
people.
I want to do as less changes to the sshd configuration


Hans
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev