Erik Johnston
2019-Jun-25 17:22 UTC
Requiring certificate signature and an authorized key to authenticate
Hey everyone, Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key. The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless. Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong. Thanks, Erik
Manoj Ampalam
2019-Jun-27 17:54 UTC
Requiring certificate signature and an authorized key to authenticate
AFAIK, sshd, by itself, cannot enforce your specific 2FA requirement (one cert + one authorized key). You could potentially leverage AuthorizedKeysCommand. It would probably require maintaining some state (authorized_keys, trusted ca keys, auth attempts) on your own. ________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+manojampalam=live.com at mindrot.org> on behalf of Erik Johnston <erikj-openssh at jki.re> Sent: Tuesday, June 25, 2019 10:22:55 AM To: openssh-unix-dev at mindrot.org Subject: Requiring certificate signature and an authorized key to authenticate Hey everyone, Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key. The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless. Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong. Thanks, Erik _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=02%7C01%7C%7Cf231135f471049fd07e908d6f991f2b5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636970802567816448&sdata=%2F4zOz7AZiau%2BN2o5X92cgYt8QQ6PU1APwr%2B5e8wfC2Q%3D&reserved=0
Damien Miller
2019-Jun-28 02:46 UTC
Requiring certificate signature and an authorized key to authenticate
On Tue, 25 Jun 2019, Erik Johnston wrote:> Hey everyone, > > Basically, I'm trying to figure out if I can configure sshd to require > that the user has a key that has been signed by a trusted user CA > *and* is listed separately as an authorised key (or the user has a > signed key and a different authorised key)? > > The closest I've come is having an `authorized_keys` file have > two entries consisting of the CA key and a normal key with > `AuthenticationMethods: publickey,publickey` option set, so that sshd > requires that a user produces both the normal key and a signed key. > This works, but means a user can't then have multiple keys (e.g. one > per device), and feels somewhat brittle in that adding a key to that > file breaks the requirement that the user presents a signed key.There's no good way to express multi-factor authentication using just keys in sshd_config at the moment. You've hit on what is the closest that you can do - listing each of the keys that you require and setting AuthenticationMethods=publickey,publickey This only happens to work because most* versions of sshd will refuse to allow a single public key to pass multiple required authentications. That this allows MFA using pubkeys only isn't quite accidental behaviour (I had this case in mind when I implemented it), but its still a long way from a proper system. I'm certainly open to implementing the other parts that are needed to pure-pubkey MFA, but I'm unsure what the sshd configuration UI would look like. So let me ask: how would you like it to work? I guess the cert+plain key combo is likely to be a fairly common requirment. Maybe we could bundle the keys required into the AuthenticationMethods line, e.g. AuthenticationMethods publickey:CA/9+CulD19jyl0DEPteRcXM8uVbYsG3MgbSslrgXkt458,publickey -d * versions prior to 6.8 didn't enforce this
Jakub Jelen
2019-Jun-28 06:28 UTC
Requiring certificate signature and an authorized key to authenticate
On Tue, 2019-06-25 at 18:22 +0100, Erik Johnston wrote:> Hey everyone, > > Basically, I'm trying to figure out if I can configure sshd to > require that the user has a key that has been signed by a trusted > user CA *and* is listed separately as an authorised key (or the user > has a signed key and a different authorised key)? > > The closest I've come is having an `authorized_keys` file have two > entries consisting of the CA key and a normal key with > `AuthenticationMethods: publickey,publickey` option set, so that sshd > requires that a user produces both the normal key and a signed key. > This works, but means a user can't then have multiple keys (e.g. one > per device), and feels somewhat brittle in that adding a key to that > file breaks the requirement that the user presents a signed key. > > The motivation behind this is that I've been looking at using a self- > service cert authority that lets users get their keys signed by the > CA in a restricted way, e.g. be IP locked, have expiry times, > requires third party approval to get access to certain hosts, etc. > However, I'm uncomfortable having a single server have the CA cert, > since if the box gets owned they get credentials to access > everything. Hence wondering if we could require having both a valid > key *and* a valid signature from the CA, as then having the cert by > itself is useless. > > Thoughts and suggestions welcome, including that this sounds like a > terrible idea and I'm doing it wrong.As already said, there is no simple way to do this in OpenSSH itself. But since few releases back, the OpenSSH can publish [1] what authentication was used in OpenSSH for PAM, which can in the end do the final decision whether the authentication was valid or not (two public keys or one of the valid certificate). This was implemented by the guys from CERN primarily for 2fa, but I think this can do also for you with some tweaks. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408 Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Erik Johnston
2019-Jun-28 11:07 UTC
Re: Requiring certificate signature and an authorized key to authenticate
Thanks Damien, that broadly aligns with my understanding. On Fri, 28 Jun 2019, at 03:46, Damien Miller wrote:> I'm certainly open to implementing the other parts that are needed to > pure-pubkey MFA, but I'm unsure what the sshd configuration UI would > look like. So let me ask: how would you like it to work?I've been thinking what the configuration could look like over the past few days, and really it feels like the options depend on how configurable we'd like to make things in the future. Where I've broadly ended up is allowing configurable auth stages, something akin to: ``` AuthenticationMethods: custom_stage,pubkey AuthStage custom_stage AuthenticationMethod: pubkey AuthorizedKeysFile: authorized_ca_file ``` i.e. where you take an existing auth method but allow it to be configured. This could then (?) be later extended to allow adding additional restrictions based on the stages used to authenticate, e.g. only allow running a commad, IP locking, etc akin to the restrictions that can be added to authorized keys file. This feels like the most generic solution that'll most easily support further extensions to the auth flows. The downside here (other than complexity to implement) is that the authentication flows are now potentially convoluted, making it harder for operators to check that the settings are secure at a glance and making it easier to misconfigure it. Though given the way that auth can be delegated to PAM the horse may have bolted somewhat on that one. On the other hand just allowing the auth stages to have some (minimal) configuration as part of the `AuthenticationMethods` line may be the right approach by virtue of its sheer simplicity. (I was planning on having a bit more of a poke of the code base to try and figure out a bit what sort of things would be feasible to add without too much work, but haven't managed to get that far yet.) On 28/06/2019 07:28, Jakub Jelen wrote:> As already said, there is no simple way to do this in OpenSSH itself. > But since few releases back, the OpenSSH can publish [1] what > authentication was used in OpenSSH for PAM, which can in the end do the > final decision whether the authentication was valid or not (two public > keys or one of the valid certificate).Ah, I hadn't realised this! Thanks for pointing it out, that sounds like it could be really quite useful indeed.
Maybe Matching Threads
- Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
- Multifactor authentication troubles
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- MFA and PubKeys