Mailing List Archive

Requiring certificate signature and an authorized key to authenticate
Hey everyone,

Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)?

The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key.

The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless.

Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong.


Thanks,
Erik
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: Requiring certificate signature and an authorized key to authenticate [ In reply to ]
AFAIK, sshd, by itself, cannot enforce your specific 2FA requirement (one cert + one authorized key). You could potentially leverage AuthorizedKeysCommand. It would probably require maintaining some state (authorized_keys, trusted ca keys, auth attempts) on your own.





________________________________
From: openssh-unix-dev <openssh-unix-dev-bounces+manojampalam=live.com@mindrot.org> on behalf of Erik Johnston <erikj-openssh@jki.re>
Sent: Tuesday, June 25, 2019 10:22:55 AM
To: openssh-unix-dev@mindrot.org
Subject: Requiring certificate signature and an authorized key to authenticate

Hey everyone,

Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)?

The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key.

The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless.

Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong.


Thanks,
Erik
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&amp;data=02%7C01%7C%7Cf231135f471049fd07e908d6f991f2b5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636970802567816448&amp;sdata=%2F4zOz7AZiau%2BN2o5X92cgYt8QQ6PU1APwr%2B5e8wfC2Q%3D&amp;reserved=0
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Requiring certificate signature and an authorized key to authenticate [ In reply to ]
On Tue, 25 Jun 2019, Erik Johnston wrote:

> Hey everyone,
>
> Basically, I'm trying to figure out if I can configure sshd to require
> that the user has a key that has been signed by a trusted user CA
> *and* is listed separately as an authorised key (or the user has a
> signed key and a different authorised key)?
>
> The closest I've come is having an `authorized_keys` file have
> two entries consisting of the CA key and a normal key with
> `AuthenticationMethods: publickey,publickey` option set, so that sshd
> requires that a user produces both the normal key and a signed key.
> This works, but means a user can't then have multiple keys (e.g. one
> per device), and feels somewhat brittle in that adding a key to that
> file breaks the requirement that the user presents a signed key.

There's no good way to express multi-factor authentication using just
keys in sshd_config at the moment. You've hit on what is the closest
that you can do - listing each of the keys that you require and
setting AuthenticationMethods=publickey,publickey

This only happens to work because most* versions of sshd will refuse
to allow a single public key to pass multiple required authentications.
That this allows MFA using pubkeys only isn't quite accidental behaviour
(I had this case in mind when I implemented it), but its still a long
way from a proper system.

I'm certainly open to implementing the other parts that are needed to
pure-pubkey MFA, but I'm unsure what the sshd configuration UI would
look like. So let me ask: how would you like it to work?

I guess the cert+plain key combo is likely to be a fairly common
requirment. Maybe we could bundle the keys required into the
AuthenticationMethods line, e.g.

AuthenticationMethods publickey:CA/9+CulD19jyl0DEPteRcXM8uVbYsG3MgbSslrgXkt458,publickey

-d

* versions prior to 6.8 didn't enforce this
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Requiring certificate signature and an authorized key to authenticate [ In reply to ]
On Tue, 2019-06-25 at 18:22 +0100, Erik Johnston wrote:
> Hey everyone,
>
> Basically, I'm trying to figure out if I can configure sshd to
> require that the user has a key that has been signed by a trusted
> user CA *and* is listed separately as an authorised key (or the user
> has a signed key and a different authorised key)?
>
> The closest I've come is having an `authorized_keys` file have two
> entries consisting of the CA key and a normal key with
> `AuthenticationMethods: publickey,publickey` option set, so that sshd
> requires that a user produces both the normal key and a signed key.
> This works, but means a user can't then have multiple keys (e.g. one
> per device), and feels somewhat brittle in that adding a key to that
> file breaks the requirement that the user presents a signed key.
>
> The motivation behind this is that I've been looking at using a self-
> service cert authority that lets users get their keys signed by the
> CA in a restricted way, e.g. be IP locked, have expiry times,
> requires third party approval to get access to certain hosts, etc.
> However, I'm uncomfortable having a single server have the CA cert,
> since if the box gets owned they get credentials to access
> everything. Hence wondering if we could require having both a valid
> key *and* a valid signature from the CA, as then having the cert by
> itself is useless.
>
> Thoughts and suggestions welcome, including that this sounds like a
> terrible idea and I'm doing it wrong.

As already said, there is no simple way to do this in OpenSSH itself.
But since few releases back, the OpenSSH can publish [1] what
authentication was used in OpenSSH for PAM, which can in the end do the
final decision whether the authentication was valid or not (two public
keys or one of the valid certificate).

This was implemented by the guys from CERN primarily for 2fa, but I
think this can do also for you with some tweaks.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408

Regards,

--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Requiring certificate signature and an authorized key to authenticate [ In reply to ]
Thanks Damien, that broadly aligns with my understanding.

On Fri, 28 Jun 2019, at 03:46, Damien Miller wrote:
> I'm certainly open to implementing the other parts that are needed to
> pure-pubkey MFA, but I'm unsure what the sshd configuration UI would
> look like. So let me ask: how would you like it to work?

I've been thinking what the configuration could look like over the past few days, and really it feels like the options depend on how configurable we'd like to make things in the future.

Where I've broadly ended up is allowing configurable auth stages, something akin to:

```
AuthenticationMethods: custom_stage,pubkey

AuthStage custom_stage
AuthenticationMethod: pubkey
AuthorizedKeysFile: authorized_ca_file
```

i.e. where you take an existing auth method but allow it to be configured. This could then (?) be later extended to allow adding additional restrictions based on the stages used to authenticate, e.g. only allow running a commad, IP locking, etc akin to the restrictions that can be added to authorized keys file. This feels like the most generic solution that'll most easily support further extensions to the auth flows.

The downside here (other than complexity to implement) is that the authentication flows are now potentially convoluted, making it harder for operators to check that the settings are secure at a glance and making it easier to misconfigure it. Though given the way that auth can be delegated to PAM the horse may have bolted somewhat on that one.

On the other hand just allowing the auth stages to have some (minimal) configuration as part of the `AuthenticationMethods` line may be the right approach by virtue of its sheer simplicity.

(I was planning on having a bit more of a poke of the code base to try and figure out a bit what sort of things would be feasible to add without too much work, but haven't managed to get that far yet.)

On 28/06/2019 07:28, Jakub Jelen wrote:
> As already said, there is no simple way to do this in OpenSSH itself.
> But since few releases back, the OpenSSH can publish [1] what
> authentication was used in OpenSSH for PAM, which can in the end do the
> final decision whether the authentication was valid or not (two public
> keys or one of the valid certificate).

Ah, I hadn't realised this! Thanks for pointing it out, that sounds like it could be really quite useful indeed.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev