bugzilla-daemon at mindrot.org
2015-Jul-30 17:41 UTC
[Bug 2436] New: Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Bug ID: 2436 Summary: Add ssh option to present certificates on command line Product: Portable OpenSSH Version: 6.9p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mebhat at akamai.com Created attachment 2679 --> https://bugzilla.mindrot.org/attachment.cgi?id=2679&action=edit [PATCH] Add ssh -z option to present certificates on command line Currently, it is difficult for users to manage having multiple certificates for a single key pair. One of the easiest ways to manage the certificates is to have a copy of the key pair for every certificate. Some of these concerns were brought up in the following thread: http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-September/031629.html The goal of this patch is to make it easier for users to handle presenting specific certificates during ssh. With this patch, users may specify one or more certificates to be used for authentication on the command line with the '-z' argument when running ssh. A user may also include a specific certificate in the ssh_config file as a CertificateFile. For successful authentication, the key pair associated with the certificate must also be presented during the ssh. This key pair may be loaded in a currently-running ssh agent, for example, or provided as an identity file on the command line. Since the specified certificates can be used in combination with keys pairs in the agent, users can avoid having to enter a passphrase before using a certificate. The code for this patch is closely modeled after that of identity files. However, there are some differences to account for making sure the loaded file is a certificate, as well as identifying which key pair is associated with the certificate. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Aug-28 02:18 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 David Gervais <dgervais at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dgervais at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 04:28 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Attachment #2679|0 |1 is patch| | Attachment #2679|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 04:48 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2451 Status|NEW |ASSIGNED --- Comment #1 from Damien Miller <djm at mindrot.org> --- Thanks for writing this and especially for taking the time to write a regress test too. I'll take a look at this, but I'm not sure about using up one of our few remaining getopt() characters for this - multiple certificates are a fairly rare situation. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 12:21 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #2 from David Gervais <dgervais at gmail.com> --- We plan to use multiple certificates where a centralize authentication and authorization service will provide limited-use ssh certificate endorsements on user's ssh keys to uniquely access servers in our network (currently consisting of ~200000+ servers). In this model (which plans to replace our existing ssh proxy model), users will need to juggle many certificates spanning each access attempt and even each command they would like to run remotely. Having the functionality to select a certificate within ssh itself will be amazingly helpful. We have an ssh-certificate-agent application that can be used to provide this functionality now by proxying the communication from ssh to the ssh-agent where the ssh-certificate-agent can load the public certificate and can delegate signing to the ssh-agent though this is not an optimal solution. A patch for the ssh-certificate-agent (also authored by mebhat) attached if interested. With respect to using a command line option of -z, what would the alternative be? The other potential solution I could envision would be to overload the use of -i and if the provided argument ends with -cert.pub, then we treat it as we do when parsing arguments from -z? I think I would prefer isolating the behavior to a separate option, though completely open to other alternatives. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 12:26 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #3 from David Gervais <dgervais at gmail.com> --- Created attachment 2694 --> https://bugzilla.mindrot.org/attachment.cgi?id=2694&action=edit ssh-certificate-agent proof-of-concept code ssh-certificate-agent proof-of-concept code attached. The ssh certificate agent allows the user to ssh using specific input certificates. It communicates with the regular ssh agent to get the certificate signed. It does not support adding or removing of keys. As mentioned in my previous post, having this functionality in ssh directly would be incredibly helpful. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-11 07:33 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 2700 --> https://bugzilla.mindrot.org/attachment.cgi?id=2700&action=edit revised patch Here's a tweaked version of the patch. Changes are: - add_certificate_file() never used its "dir" argument; remove it and save some code - merge load_certificate_files() into load_public_identity_files(); much of the code is shared (especially % expansion) - if any CertificateFiles have been specified, skip trying to load key-cert.pub by default. I figure that if users are specifying certificates themselves then they don't want implicit behaviour to confuse things. - log (at debug2 level) which private key is being used for the certificate and cases where no private key was found for a given certificate - Simplify the matching of certificates to private keys in sign_and_send_pubkey() and use it for all certificates (i.e. both CertificateFile and implicit *-cert.pub ones). - Tweak the wording of the manpage a little and mention the interaction with IdentitiesOnly. I've left the ssh -z option in there for now. The alternative to an explicit flag is making users use -oCertificateFile=... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-11 20:26 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #5 from David Gervais <dgervais at gmail.com> --- Reviewed the proposed changes and really like the new approach. Also confirmed that the proposed patch functions as expected. As for the -z option, I completely forgot that -oCertificateFile was an option. I, personally, would be fine dropping -z in favor of -oCertificateFile as to not pollute the getopt space as you've mentioned previously. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-24 06:17 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #6 from Damien Miller <djm at mindrot.org> --- patch applied - this will be in openssh-7.2. Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:42 UTC
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Maybe Matching Threads
- [PATCH] ssh: Add option to present certificates on command line
- [Bug 2377] New: Add ssh-agent support to ssh-keygen
- certificates keys on pkcs11 devices
- Feature request: a good way to supply short-lived certificates to openssh
- Feature request: a good way to supply short-lived certificates to openssh