Re: Help request for authentication with certicates

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On 10/27/21 16:26, Marco wrote:
> Hi all and thanks for attention.
>
> I have some difficulties in authentication using certificate from C 
> application using ssh to a server correctly configured, I think.
>
> I've generate a private and public key and signed the public with the 
> certification authority private key to have -cert.pub with desired 
> principals (principals are in /etc/ssh/auth_principals/%u at server side)
>
> The server is configured to recognize the CA and has authentication 
> principals
>
> Using ssh from shell I have no issue.
>
> With c application following tutorial and after setting session with 
> username, ip, port, I try public key using cert file,it succeed, then I 
> try to authenticate with private key but I have Access denied.

AFAIK the OpenSSH (ssh from shell) automatically loads the existing 
-cert.pub files when it founds them alongside of the private and public 
key files. I am not sure if this functionality is implemented in libssh, 
but from what you describe, it looks like the case.

The certificate and public key authentication are both using the pubkey 
authentication method, but they are using different "key type" (or 
mechanism -- for example ssh-ed25519 or 
ssh-ed25519-cert-v01@xxxxxxxxxxx, which will use different content of 
the authentication packets (you should be able to see this difference in 
debug mode of both server and clients).

I think this works as expected from the protocol point of view. If you 
think libssh should also try to find matching certificates and use them 
for the authentication, contributions are welcomed:

https://gitlab.com/libssh/libssh-mirror

Hope it helps,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.