openssh bugs - Jul 2015 - [Bug 2436] New: Add ssh option to present certificates on command line

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

            Bug ID: 2436
           Summary: Add ssh option to present certificates on command line
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mebhat at akamai.com

Created attachment 2679
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2679&action=edit
[PATCH] Add ssh -z option to present certificates on command line

Currently, it is difficult for users to manage having multiple
certificates for a single key pair. One of the easiest ways to manage
the certificates is to have a copy of the key pair for every
certificate. Some of these concerns were brought up in the following
thread:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-September/031629.html
The goal of this patch is to make it easier for users to handle
presenting specific certificates during ssh.

With this patch, users may specify one or more certificates to be used
for authentication on the command line with the '-z' argument when
running ssh. A user may also include a specific certificate in the
ssh_config file as a CertificateFile.

For successful authentication, the key pair associated with the
certificate must also be presented during the ssh. This key pair may be
loaded in a currently-running ssh agent, for example, or provided as an
identity file on the command line. Since the specified certificates can
be used in combination with keys pairs in the agent, users can avoid
having to enter a passphrase before using a certificate.

The code for this patch is closely modeled after that of identity
files. However, there are some differences to account for making sure
the loaded file is a certificate, as well as identifying which key pair
is associated with the certificate.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

David Gervais <dgervais at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dgervais at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #2679|0                           |1
           is patch|                            |
   Attachment #2679|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2451
             Status|NEW                         |ASSIGNED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Thanks for writing this and especially for taking the time to write a
regress test too.

I'll take a look at this, but I'm not sure about using up one of our
few remaining getopt() characters for this - multiple certificates are
a fairly rare situation.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

--- Comment #2 from David Gervais <dgervais at gmail.com> ---
We plan to use multiple certificates where a centralize authentication
and authorization service will provide limited-use ssh certificate
endorsements on user's ssh keys to uniquely access servers in our
network (currently consisting of ~200000+ servers). In this model
(which plans to replace our existing ssh proxy model), users will need
to juggle many certificates spanning each access attempt and even each
command they would like to run remotely. Having the functionality to
select a certificate within ssh itself will be amazingly helpful.

We have an ssh-certificate-agent application that can be used to
provide this functionality now by proxying the communication from ssh
to the ssh-agent where the ssh-certificate-agent can load the public
certificate and can delegate signing to the ssh-agent though this is
not an optimal solution. A patch for the ssh-certificate-agent (also
authored by mebhat) attached if interested.

With respect to using a command line option of -z, what would the
alternative be? The other potential solution I could envision would be
to overload the use of -i and if the provided argument ends with
-cert.pub, then we treat it as we do when parsing arguments from -z? I
think I would prefer isolating the behavior to a separate option,
though completely open to other alternatives.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

--- Comment #3 from David Gervais <dgervais at gmail.com> ---
Created attachment 2694
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2694&action=edit
ssh-certificate-agent proof-of-concept code

ssh-certificate-agent proof-of-concept code attached.

The ssh certificate agent allows the user to ssh using specific input
certificates. It communicates with the regular ssh agent to get the
certificate signed. It does not support adding or removing of keys.

As mentioned in my previous post, having this functionality in ssh
directly would be incredibly helpful.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2700
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2700&action=edit
revised patch

Here's a tweaked version of the patch. Changes are:

- add_certificate_file() never used its "dir" argument; remove it and
save some code

- merge load_certificate_files() into load_public_identity_files();
much of the code is shared (especially % expansion)

- if any CertificateFiles have been specified, skip trying to load
key-cert.pub by default. I figure that if users are specifying
certificates themselves then they don't want implicit behaviour to
confuse things.

- log (at debug2 level) which private key is being used for the
certificate and cases where no private key was found for a given
certificate

- Simplify the matching of certificates to private keys in
sign_and_send_pubkey() and use it for all certificates (i.e. both
CertificateFile and implicit *-cert.pub ones).

- Tweak the wording of the manpage a little and mention the interaction
with IdentitiesOnly.

I've left the ssh -z option in there for now. The alternative to an
explicit flag is making users use -oCertificateFile=...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

--- Comment #5 from David Gervais <dgervais at gmail.com> ---
Reviewed the proposed changes and really like the new approach. Also
confirmed that the proposed patch functions as expected.

As for the -z option, I completely forgot that -oCertificateFile was an
option. I, personally, would be fine dropping -z in favor of
-oCertificateFile as to not pollute the getopt space as you've
mentioned previously.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
patch applied - this will be in openssh-7.2. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2436

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.