# OpenSSH Certificate Based Authentication

## brianakee

Does anyone have any experience setting OpenSSH Certificate based authentication.

Any information regarding this would be appreciated.

Thank You, 

TM

----------

## Houdini

Certificate based, or public-key based?  I know lots about the latter, and wasn't aware of the former.

----------

## brianakee

Let me rephrase:

Does anyone have any experience setting OpenSSH X509 based authentication.

As per the man page this is possible.

Thank You,

TM

----------

## Houdini

Ah.

Sorry, I've got nothing.

----------

## Chris W

Which man page?   The string "509" does not appear in of my man pages for ssh, sshd, sshd_config, or ssh_config.

Google came up with some references to patches for OpenSSH to support  PKI (x.509) certificates but AFAIK these are not part of the distribution.  Google searches for X.509 and x509 on the openssh.org site also draw blanks except for an expired draft mentioning optional x.509 functionality.

Are you perhaps referring to OpenSSL?

----------

## brianakee

man sshd

 *Quote:*   

> SSH protocol version 2
> 
>      Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
> 
>      used to identify the host.  It is possible host key to contain key plus
> ...

 

ssh -V

 *Quote:*   

> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004

 

This is about I that I have been able to find on the subject.

TM

----------

## Chris W

Curious.  From my copy of the man page:  *Quote:*   

>    SSH protocol version 2
> 
>      Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
> 
>      used to identify the host.  However, when the daemon starts, it does not
> ...

  for this version:

```
$ ssh -V

OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
```

 My man page matches the distribution file for OpenSSH (both 3.8 and 3.7.1p2).

I know of no way to directly use X.509 certificates with OpenSSH.  You can extract the public key from a certificate using: 

```
openssl x509 -in ./certs/nortelCA.pem -pubkey

-----BEGIN PUBLIC KEY-----

MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nq

OmzEnk291d1XqznDeF4wEgakbkCczTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn

0wGC+AI00F2vYTGqPGRQL1N3lZT0YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIM

pNkka8PY9lxHZAmWwQIBAw==

-----END PUBLIC KEY-----

-----BEGIN CERTIFICATE-----

MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN

BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w

HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0

IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL

MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls

aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww

GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL

ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc

zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0

YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq

hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF

cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W

YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==

-----END CERTIFICATE-----

```

 but this won't necessarily be of use to you.

There are third party patches that might be of use:

http://roumenpetrov.info/openssh/

----------

## brianakee

I wonder if this is what changes are made by adding x509 to USE variable.

In any case, I will have to investigate further.

Thanks for the information regarding openssl. I am sure that it will come in handy.

TM

----------

## Chris W

The patch applied by the x509 USE flag is the patch I linked to.  Perhaps there's something at that site that would give a clue as to how to use it.

http://www.roumenpetrov.info/openssh/x509h/README.x509v3

----------

## brianakee

I will look again. I was all over that site. Though there is some very good information there, the information does not seem to be very helpful, especially to someone who is not very versed in the ways of openssl.

Interstingly enough, I have been trying to put together some information regarding the use of openssl (x509). Using this with OpenSSH seemed like a very practical use for my testing. In any case, I will keep at it. 

If I get it working, or find more information about OpenSSH with x509 I will definitley post it here.

Thank You, 

TM

----------

## eunuque

Have you got it to work?

I remerged openssh with the X509 patch, then followed the readme from

http://www.roumenpetrov.info/openssh/x509h/README.x509v3

but I can't authenticate using certificates.

----------

## Julz

 *eunuque wrote:*   

> Have you got it to work?
> 
> I remerged openssh with the X509 patch, then followed the readme from
> 
> http://www.roumenpetrov.info/openssh/x509h/README.x509v3
> ...

 

I can't either but if someone has more information I'll be very interested.

I try to authenticate the server with a host certificate and a custom CA. I run ssh with -vvv and everything looks fine up to there :

```
debug3: x509key_from_blob: We have 1107 bytes available in BIO

debug3: x509_to_key: X509_get_pubkey done!

debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts

debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts

debug2: no key of type 0 for host 192.168.1.61

debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts2

debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2

debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts

debug2: no key of type 1 for host 192.168.1.61

debug3: check_host_in_hostfile: filename ~/.ssh/known_hosts2

[...]

debug2: no key of type 4 for host 192.168.1.61

```

Why is it looking for the key in a known_hosts file when it is supposed to check the certificate ?

It results in :

```
The authenticity of host '192.168.1.61 (192.168.1.61)' can't be established.

RSA+cert key fingerprint is da:94:b2:ec:fe:c4:f1:ee:5e:c7:42:f5:ef:f5:c5:c5.

Distinguished name is [...]

Are you sure you want to continue connecting (yes/no)?

```

----------

## eunuque

You first have to say yes to accept the key, then another check is done on the certificate.

If it is not valid, then the connection will stop.

BTW I've just wrote a HOWTO:

https://forums.gentoo.org/viewtopic-t-441064.html

----------

## Julz

 *eunuque wrote:*   

> You first have to say yes to accept the key, then another check is done on the certificate.
> 
> If it is not valid, then the connection will stop.

 

Thanks for the answer, it's been working that way for me for some time now. It is also possible to automatically put unknown hosts in the known_hosts file, in which case X509 has to be the only authentication mechanism.

----------

