Displaying 20 results from an estimated 26 matches for "trustedusercakey".
Did you mean:
trustedusercakeys
2020 Jun 01
2
would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?
Wondering if it would make sense to have more granular control of
trustedUserCAkeys? I have 1 key used to sign root certs, the key is
shortlived, and is rotated daily. And I have a 2nd key to sign non-
privileged user certs. The non-privileged certs have a longer validity
period, and the signing keys are not rotated as frequently. It would
be nice to ensure this second signin...
2010 Apr 27
2
ssh certificate usage
I am trying to find out how I can use the new self-signed certificates
So what I read in the man pages, it should be something like:
client:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate
Server(s):
2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
location you like
3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it
Client:
4) for a user generate a certificate of its public key
ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
This will generate an...
2015 Nov 01
2
[Bug 2487] New: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs
https://bugzilla.mindrot.org/show_bug.cgi?id=2487
Bug ID: 2487
Summary: AuthorizedPrincipalsCommand should probably document
whether it only applies to TrustedUserCAKeys CAs
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Report...
2020 Jan 30
3
SSH certificates - restricting to host groups
...s file configuration?
this is the right answer. you want to use AuthorizedPrincipalsFile (or
AuthorizedPrincipalsCommand if your authz information needs to change
on a quicker cadence than your config pushes) on the machines.
you'd have something like
$ cat /etc/ssh/sshd_config
<snip>
TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys
Match User www
AuthorizedKeysFile /etc/ssh/empty
AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals
<snip>
$ cat /etc/ssh/www_authorized_principals
alice
bob
and alice and bob just have regular user certificates with 'alice' or
'bob'...
2010 Mar 04
1
Minor tweak to sshd_config(5)
Hi,
There are a few minor tweaks I would like to suggest regrading the recently added
TrustedUserCAKeys section in sshd_config(5).
TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted sign user certificates for authentication. Keys are listed one per
line, empty lines and comments starting with '#'...
2013 Sep 05
1
Using multiple certificates for a given private key
Hi,
I'm experimenting with certificates for users, giving access via the
TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of
one certificate per SSH key on the user's side, which prevents using the
same key for hosts using different TrustedUserCAKeys. Is there a clean
way around this?
To make the above clearer, consider the following situation:
A collection of...
2020 Jun 16
2
client host certificates and receiving host configuration
I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.
https://github.com/rorycl/sshagentca
This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.
I have been in a debate about how similarly adding host certificates to
forwarded agents could help mitigate man-in-the-middle attacks. This has
raised a few questions.
Firstly, given a host CA signing key on the sshagentca server, would an
appropriately constructed host certifi...
2020 Jun 17
3
client host certificates and receiving host configuration
...n
> > sshd receiving servers?
>
> I don't understand what you mean here. Could you elabourate?
My apologies for the poor explanation. Let me try again.
Adding a user certificate to a client forwarded agent allows that client
to use that certificate to authenticate to servers with
TrustedUserCAKeys set to the public key used to sign the certificate.
What would host certificates added to a client forwarded agent give one
(if any), and what part of the normal set of configuration requirements*
does it help with?
* normal config : @cert-authority in the client's ~/.ssh/known_hosts;
setu...
2019 May 20
4
Authenticate against key files before AuthorizedKeysCommand
Hello,
Currently OpenSSH has a fixed order on how the key authenticates the
user: at first it tries to authenticate against TrustedUserCAKeys,
afterwards it does it against the output keys from the
AuthorizedKeysCommand and finally against the files as set in
AuthorizedKeysFile. I have an use-case where this order is not ideal.
This is because in my case the command fetches keys from the cloud which
due to connectivity issues (and whatn...
2018 Apr 10
4
Signed SSH key issue with OpenSSH6.4p1
...b)
2) I created user ssh rsa keys (user-id-org and user-id-org.pub).
3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated
"signed-user-id-org.pub".
4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com)
and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in
/etc/ssh/sshd_config.
5) I am trying to get into "dest1.domain.com" using the " user-id-org " as
well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed-
user-id-org.pub user1@ dest1.domain.com ]
However, I am being aske...
2020 Jan 30
5
SSH certificates - restricting to host groups
Hello,
I am trying to work out the best way to issue SSH certificates in such
way that they only allow access to specific usernames *and* only to
specific groups of host.
As a concrete example: I want Alice to be able to login as "alice" and
"www" to machines in group "webserver" (only). Also, I want Bob to be
able to login as "bob" and
2011 Nov 03
1
Help with CA Certificates for user authentication?
...y /etc/sshtest/ssh_host_dsa_key
HostKey /etc/sshtest/ssh_host_ecdsa_key
MaxAuthTries 3
AuthorizedKeysFile????? /etc/sshtest/authorized_keys
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
UseDNS no
Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server
TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys
AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals
The /etc/sshtest/authorized_principals file contains one line:
test at 172.31.43.3
I attempt to connect to the target server from the test client:
$ ssh -vvv -Y -p 2022 -l test 172.31.44.115
Ther...
2015 Feb 19
2
[Bug 2353] New: options allowed for Match blocks missing form documentation
...t
Hi.
AFAIU such options which are allowed for Match blocks are marked with
"SSHCFG_ALL" in servconf.c.
Going through the list, a number of the is apparently allowed but
missing from sshd_config(5):
AllowStreamLocalForwarding
IPQoS
RevokedKeys
StreamLocalBindMask
StreamLocalBindUnlink
TrustedUserCAKeys
Could you please add these?
I'd have written a patch, but since all my pull requests are apparently
generally ignored it's probably just a waste of time :(
Cheers,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
2010 Apr 16
0
Announce: OpenSSH 5.5 released
...zedKeysFile option for $HOME-relative paths
* Fix compilation failures on platforms that lack dlopen()
* Include a language tag when sending a protocol 2 disconnection message.
* Make logging of certificates used for user authentication more clear and
consistent between CAs specified using TrustedUserCAKeys and
authorized_keys
Portable OpenSSH:
* Allow contrib/ssh-copy-id to fail gracefully when there are no keys in
the ssh-agent. bz#1723
* Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725
* Allow ChrootDirectory to work in SELinux platforms. bz#1726
* Add configure.ac st...
2010 Apr 16
0
Announce: OpenSSH 5.5 released
...zedKeysFile option for $HOME-relative paths
* Fix compilation failures on platforms that lack dlopen()
* Include a language tag when sending a protocol 2 disconnection message.
* Make logging of certificates used for user authentication more clear and
consistent between CAs specified using TrustedUserCAKeys and
authorized_keys
Portable OpenSSH:
* Allow contrib/ssh-copy-id to fail gracefully when there are no keys in
the ssh-agent. bz#1723
* Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725
* Allow ChrootDirectory to work in SELinux platforms. bz#1726
* Add configure.ac st...
2013 Sep 25
0
CA Signed Public Key User Authentication does not honor ~/.ssh/authorized_keys
Greetings,
I am using OpenSSH Signed Public Key authentication for servers ssh login.
All of the servers are setup with below sshd_config options:
TrustedUserCAKeys /etc/ssh/ca.pub # CA Public Keys
RevokedKeys /etc/ssh/revoke.pub # User Public Keys
When i started working on it, for ssh authentication i had to have CA
Public Key in User ~/.ssh/authorized_keys, like:
cert-authority ssh-rsa <user_key> <user_name>
But, now i am able to login witho...
2020 Jan 31
2
SSH certificates - restricting to host groups
On 31/01/2020 15:37, Michael Str?der wrote:
> (BTW: yubikey is slow. So if you have admins accessing many machines in
> one go you will get a notable latency during first SSH connection.)
I meant using a single Yubikey as the CA sign the certificates.
I'm thinking of an organization where the number of admins is in the low
tens.? The end-game of having daily keys and certs loaded
2015 Apr 15
6
[Bug 2382] New: option to disable pid file with sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2382
Bug ID: 2382
Summary: option to disable pid file with sshd
Product: Portable OpenSSH
Version: 6.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
...quot;, sMacs, SSHCFG_ALL },
{ "protocol", sProtocol, SSHCFG_GLOBAL },
{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
@@ -427,7 +427,7 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{...
2013 Jun 18
0
Problems in slogin.1, sshd_config.5, ssh_config.5
...rated
lists and may use the wildcard and negation operators described in the
-.Sx PATTERNS
-section of
+PATTERNS section of
.Xr ssh_config 5 .
.Pp
The patterns in an
@@ -1094,8 +1082,7 @@
Note that certificates that lack a list of principals will not be permitted
for authentication using
.Cm TrustedUserCAKeys .
-For more details on certificates, see the
-.Sx CERTIFICATES
+For more details on certificates, see the CERTIFICATES
section in
.Xr ssh-keygen 1 .
.It Cm UseDNS
-------------- next part --------------
Problems with ssh_config.5:
My records indicate that you have accepted this patch, so this...