Hi,
I'm experimenting with certificates for users, giving access via the
TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of
one certificate per SSH key on the user's side, which prevents using the
same key for hosts using different TrustedUserCAKeys. Is there a clean
way around this?
To make the above clearer, consider the following situation:
A collection of hosts is partitioned into A hosts and B hosts, and we
have a CA key for the A hosts and one for the B hosts. Bob is a special
user and is granted access to hosts in both the A and the B clusters,
and so after sending his id_ecdsa.pub public key to the A and B CA key
maintainers, gets back two id_ecdsa-cert.pub certificates, one granting
him access to the A cluster, the other to the B cluster.
Bob is however stuck in that ssh only looks at the file
~/.ssh/id_ecdsa-cert.pub for a certificate for his id_ecdsa key. If he
puts A's certificate at that location, he can't login to B using B's
certificate, and vice-versa. If he puts both certificates into
~/.ssh/id_ecdsa-cert.pub, ssh only uses the top one.
Is there any resolution for Bob short of making two copies of
~/.ssh/id_ecdsa, ~/.ssh/id_ecdsaA and ~/.ssh/id_ecdsaB, and similarly
for ~/.ssh/id_ecdsa.pub, and placing the A and B certificates at
~/.ssh/id_ecdsaA-cert.pub and ~/.ssh/id_ecdsaB-cert.pub respectively,
thereby creating two copies of the key, each with its own certificate?
Looking at the source code, it looks as though not: key_load_cert
(authfile.c) calls key_try_load_public (authfile.c), which parses
${keyfile}-cert.pub until a key is found, loads it, and returns, thus
ignoring any subsequent certificates in the file. The cert filename is
also hardcoded to be ${keyfile}-cert.pub in key_load_cert.
Best wishes,
Ryan
--
|_)|_/ Ryan Kavanagh | Debian Developer
| \| \ http://ryanak.ca/ | GPG Key 4A11C97A
On Wed, 4 Sep 2013, Ryan Kavanagh wrote:> Hi, > > I'm experimenting with certificates for users, giving access via the > TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of > one certificate per SSH key on the user's side, which prevents using the > same key for hosts using different TrustedUserCAKeys. Is there a clean > way around this?The easiest way to have multiple certs per private key is to use an agent. You will still need to copy (or symlink) the private key for each cert but you will need to enter the passphrase only once.> A collection of hosts is partitioned into A hosts and B hosts, and we > have a CA key for the A hosts and one for the B hosts. Bob is a special > user and is granted access to hosts in both the A and the B clusters, > and so after sending his id_ecdsa.pub public key to the A and B CA key > maintainers, gets back two id_ecdsa-cert.pub certificates, one granting > him access to the A cluster, the other to the B cluster.I'd try to solve this with principals and/or authorized_principals files. E.g. setting the certificate's principals list to "bob at clusterA,bob at clusterB" (or one of the entries alone) and creating principals files (or a single file) containing "%u at clusterA" or "%u at clusterB"> Is there any resolution for Bob short of making two copies of > ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsaA and ~/.ssh/id_ecdsaB, and similarly > for ~/.ssh/id_ecdsa.pub, and placing the A and B certificates at > ~/.ssh/id_ecdsaA-cert.pub and ~/.ssh/id_ecdsaB-cert.pub respectively, > thereby creating two copies of the key, each with its own certificate?Not at present.> Looking at the source code, it looks as though not: key_load_cert > (authfile.c) calls key_try_load_public (authfile.c), which parses > ${keyfile}-cert.pub until a key is found, loads it, and returns, thus > ignoring any subsequent certificates in the file. The cert filename is > also hardcoded to be ${keyfile}-cert.pub in key_load_cert.Right. I'd accept patches to allow multiple certificates in the -cert.pub file though by making key_load_cert return multiple Keys. -d