[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to access user certificate in auth_pubkey_function
[Thread Prev] | [Thread Next]
- Subject: Re: How to access user certificate in auth_pubkey_function
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 8 Sep 2025 19:55:56 +0200
- To: libssh@xxxxxxxxxx, Francesco Rollo <eferollo@xxxxxxxxx>
Hi and welcome to libssh! Currently, the libssh treats the certificates as opaque, which means they can be used in the libssh clients for authentication, but they can not be used in libssh server to authenticate users as we were missing proper parser and logic around them. There has been a work going on (thank you Francesco and GSoC, added to copy) to implement the remaining parts in the following MR, which is due to be merged (hopefully soon) and which implements the missing bits: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/639 Right now, it does not have a lot of documentation, but from the tests, you should be able to get all the information from the certificates you need (or use the convenience function that verify the certificates against the CA/principals or other rules similar to what is in OpenSSH). We would be happy for a feedback on the functionality and for testing from the real-world use case! Either here or in directly in gitlab. Thanks, Jakub On Sat, Sep 6, 2025 at 5:03 AM Chidanand Gangur <chidanand.gangur@xxxxxxxxx> wrote: > Hello Everyone, > > > I am trying to implement a SSH proxy. In the process of learning I am > trying out libssh*/examples/ssh_server.c. > > I was able to complie and run the server. > > > I am trying public key based authentication. > > On the client side I am connecting using following command: > > ssh -p 2222 -vv -i ./id_rsa user@192.168.64.2 > > > I am running ssh_server like this ( I have done some minor modifications > w.r.t argp and have retained only pthread based solution) > > > ./ssh_server -a ./id_rsa.pub -r ./ssh_host_rsa_key -p 2222 -v 0.0.0.0 > > > With this I am able to login successfully on the server. > > > The second case which I tried was to sign the user key with CA. This > resulted me with id_rsa-cert.pub on client side. > > > I tried the same exercise to connect to the server. > > On server side in auth_publickey function I added 2 prints to print > > > 1. ssh_key_type > > 2. ssh_key_is_public > > > The first function ssh_key_type resulted as SSH_KEYTYPE_RSA value 2 and > the second function returned as 1 (is_public ). > > I was expecting it to be print SSH_KEYTYPE_RSA_CERT01 and 1. > > > My Question: > > > In auth_publickey I want to access the user certificate and then verify > the CA signature. Instead of verifying the authorisedKeys I want to > verify it against CA pub key. > > A functionality similar to Configuring TrustedUserCAKeys in openssh > server. > > > How can I get hold of the user certificate ? > > > In ssh_key_struct I see there is a member variable > > > ssh_buffer cert; > > *enum* ssh_keytypes_e cert_type; > > }; > > > I did not find any function to access the ssh_key->cert. > > > Please point me to some code reference or documentation. > > > Thanks, > > Chidanand > >
| How to access user certificate in auth_pubkey_function | Chidanand Gangur <chidanand.gangur@xxxxxxxxx> |