[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help request for authentication with certicates


On 10/27/21 16:26, Marco wrote:
Hi all and thanks for attention.

I have some difficulties in authentication using certificate from C application using ssh to a server correctly configured, I think.

I've generate a private and public key and signed the public with the certification authority private key to have -cert.pub with desired principals (principals are in /etc/ssh/auth_principals/%u at server side)

The server is configured to recognize the CA and has authentication principals

Using ssh from shell I have no issue.

With c application following tutorial and after setting session with username, ip, port, I try public key using cert file,it succeed, then I try to authenticate with private key but I have Access denied.

AFAIK the OpenSSH (ssh from shell) automatically loads the existing -cert.pub files when it founds them alongside of the private and public key files. I am not sure if this functionality is implemented in libssh, but from what you describe, it looks like the case.

The certificate and public key authentication are both using the pubkey authentication method, but they are using different "key type" (or mechanism -- for example ssh-ed25519 or ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of the authentication packets (you should be able to see this difference in debug mode of both server and clients).

I think this works as expected from the protocol point of view. If you think libssh should also try to find matching certificates and use them for the authentication, contributions are welcomed:

https://gitlab.com/libssh/libssh-mirror

Hope it helps,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.


Follow-Ups:
Re: Help request for authentication with certicatesMarco <bna.marco@xxxxxxxxx>
References:
Help request for authentication with certicatesMarco <bna.marco@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org