undefined | Better HN

0 pointsMertsA10y ago0 comments

can you sign a cert for SSH? I know that you can add the SSH server public key fingerprint as a DNS record and sign an openSSH certificate with your own private CA but are there any public CAs who will sign SSH certs and would the ssh client even trust anything other than a manually added CA?

0 comments

darkr10y ago

Yeah - [Open]SSH supports signing for host and user keys, and you can operate your own CA, and the certificates you issue can encode a signed set of permissions/access controls with them (E.g permit-agent-forwarding, permit-X11-forwarding, certificate life times) this functionality is IMHO vastly underutilised.

OpenSSH certificates are not X509 certificates though, and out of the box SSH servers will not trust any public authority.

Also, AFAIK CA cross-signing, intermediates and other things that are fairly commonplace in X509 land are either not supported or not widely supported in OpenSSH.

pquerna10y ago

Using the OpenSSH Certificate format, many of the common features from X.509, like intermediates, cross signing, key usage attributes or restricting access based on an attribute in the certificate are not part of the spec:

https://github.com/openssh/openssh-portable/blob/master/PROT...

When I first learned about OpenSSH Certskeys, I was really excited; Spent awhile trying to make it useful, but you end up building all the CA infrastructure, and this time instead of distributing certificates to servers once a year, you want to distribute certificates to your _users_ every month or two -- so the pain is higher, there is less automation, and everyone on your team feels it....

Exploring OpenSSH certs is what led me to founding ScaleFT. There had to be a better way.

ScaleFT Access leverages these SSH Certificates, but we expire them every 5 minutes to provide other features that are hard with the limited capabilities of the format:

https://www.scaleft.com/products/access/

There are patches to make OpenSSH use X.509, but they are not widely adopted... and asking people to patch a sshd is a non-starter for many environments.

e12e10y ago

There's a pretty old (but apparently updated) patch-set for using x509 certificates with openssh. I realize commenter above made a typo, but it might be of interest in this thread:

http://www.roumenpetrov.info/openssh/

bandrami10y ago

You could, but SSH is used for actual security, and adding the variable of a third party makes that situation strictly worse. SSH keys are meant to be distributed through some side channel.

j / k navigate · click thread line to collapse