search for: trustedusercakey

Displaying 20 results from an estimated 26 matches for "trustedusercakey".

Did you mean: trustedusercakeys
2020 Jun 01
2
would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?
Wondering if it would make sense to have more granular control of trustedUserCAkeys? I have 1 key used to sign root certs, the key is shortlived, and is rotated daily. And I have a 2nd key to sign non- privileged user certs. The non-privileged certs have a longer validity period, and the signing keys are not rotated as frequently. It would be nice to ensure this second signin...
2010 Apr 27
2
ssh certificate usage
I am trying to find out how I can use the new self-signed certificates So what I read in the man pages, it should be something like: client: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or location you like 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it Client: 4) for a user generate a certificate of its public key ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub This will generate an...
2015 Nov 01
2
[Bug 2487] New: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs
https://bugzilla.mindrot.org/show_bug.cgi?id=2487 Bug ID: 2487 Summary: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Report...
2020 Jan 30
3
SSH certificates - restricting to host groups
...s file configuration? this is the right answer. you want to use AuthorizedPrincipalsFile (or AuthorizedPrincipalsCommand if your authz information needs to change on a quicker cadence than your config pushes) on the machines. you'd have something like $ cat /etc/ssh/sshd_config <snip> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFile /etc/ssh/www_authorizedPrincipals <snip> $ cat /etc/ssh/www_authorized_principals alice bob and alice and bob just have regular user certificates with 'alice' or 'bob'...
2010 Mar 04
1
Minor tweak to sshd_config(5)
Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with '#'...
2013 Sep 05
1
Using multiple certificates for a given private key
Hi, I'm experimenting with certificates for users, giving access via the TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of one certificate per SSH key on the user's side, which prevents using the same key for hosts using different TrustedUserCAKeys. Is there a clean way around this? To make the above clearer, consider the following situation: A collection of...
2020 Jun 16
2
client host certificates and receiving host configuration
I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could help mitigate man-in-the-middle attacks. This has raised a few questions. Firstly, given a host CA signing key on the sshagentca server, would an appropriately constructed host certifi...
2020 Jun 17
3
client host certificates and receiving host configuration
...n > > sshd receiving servers? > > I don't understand what you mean here. Could you elabourate? My apologies for the poor explanation. Let me try again. Adding a user certificate to a client forwarded agent allows that client to use that certificate to authenticate to servers with TrustedUserCAKeys set to the public key used to sign the certificate. What would host certificates added to a client forwarded agent give one (if any), and what part of the normal set of configuration requirements* does it help with? * normal config : @cert-authority in the client's ~/.ssh/known_hosts; setu...
2019 May 20
4
Authenticate against key files before AuthorizedKeysCommand
Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud which due to connectivity issues (and whatn...
2018 Apr 10
4
Signed SSH key issue with OpenSSH6.4p1
...b) 2) I created user ssh rsa keys (user-id-org and user-id-org.pub). 3) I signed the "user-id-org.pub" with "ca-user-key.pub" and generated "signed-user-id-org.pub". 4) I copied " ca-user-key.pub" to the destination server (dest1.domain.com) and changed "TrustedUserCAKeys /etc/ssh/ ca-user-key.pub" in /etc/ssh/sshd_config. 5) I am trying to get into "dest1.domain.com" using the " user-id-org " as well as "signed-user-id-org.pub". [ ssh -i user-id-org -i signed- user-id-org.pub user1@ dest1.domain.com ] However, I am being aske...
2020 Jan 30
5
SSH certificates - restricting to host groups
Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and
2011 Nov 03
1
Help with CA Certificates for user authentication?
...y /etc/sshtest/ssh_host_dsa_key HostKey /etc/sshtest/ssh_host_ecdsa_key MaxAuthTries 3 AuthorizedKeysFile????? /etc/sshtest/authorized_keys PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes UseDNS no Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals The /etc/sshtest/authorized_principals file contains one line: test at 172.31.43.3 I attempt to connect to the target server from the test client: $ ssh -vvv -Y -p 2022 -l test 172.31.44.115 Ther...
2015 Feb 19
2
[Bug 2353] New: options allowed for Match blocks missing form documentation
...t Hi. AFAIU such options which are allowed for Match blocks are marked with "SSHCFG_ALL" in servconf.c. Going through the list, a number of the is apparently allowed but missing from sshd_config(5): AllowStreamLocalForwarding IPQoS RevokedKeys StreamLocalBindMask StreamLocalBindUnlink TrustedUserCAKeys Could you please add these? I'd have written a patch, but since all my pull requests are apparently generally ignored it's probably just a waste of time :( Cheers, Chris. -- You are receiving this mail because: You are watching the assignee of the bug.
2010 Apr 16
0
Announce: OpenSSH 5.5 released
...zedKeysFile option for $HOME-relative paths * Fix compilation failures on platforms that lack dlopen() * Include a language tag when sending a protocol 2 disconnection message. * Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys Portable OpenSSH: * Allow contrib/ssh-copy-id to fail gracefully when there are no keys in the ssh-agent. bz#1723 * Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725 * Allow ChrootDirectory to work in SELinux platforms. bz#1726 * Add configure.ac st...
2010 Apr 16
0
Announce: OpenSSH 5.5 released
...zedKeysFile option for $HOME-relative paths * Fix compilation failures on platforms that lack dlopen() * Include a language tag when sending a protocol 2 disconnection message. * Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys Portable OpenSSH: * Allow contrib/ssh-copy-id to fail gracefully when there are no keys in the ssh-agent. bz#1723 * Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725 * Allow ChrootDirectory to work in SELinux platforms. bz#1726 * Add configure.ac st...
2013 Sep 25
0
CA Signed Public Key User Authentication does not honor ~/.ssh/authorized_keys
Greetings, I am using OpenSSH Signed Public Key authentication for servers ssh login. All of the servers are setup with below sshd_config options: TrustedUserCAKeys /etc/ssh/ca.pub # CA Public Keys RevokedKeys /etc/ssh/revoke.pub # User Public Keys When i started working on it, for ssh authentication i had to have CA Public Key in User ~/.ssh/authorized_keys, like: cert-authority ssh-rsa <user_key> <user_name> But, now i am able to login witho...
2020 Jan 31
2
SSH certificates - restricting to host groups
On 31/01/2020 15:37, Michael Str?der wrote: > (BTW: yubikey is slow. So if you have admins accessing many machines in > one go you will get a notable latency during first SSH connection.) I meant using a single Yubikey as the CA sign the certificates. I'm thinking of an organization where the number of admins is in the low tens.? The end-game of having daily keys and certs loaded
2015 Apr 15
6
[Bug 2382] New: option to disable pid file with sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2382 Bug ID: 2382 Summary: option to disable pid file with sshd Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
...quot;, sMacs, SSHCFG_ALL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, @@ -427,7 +427,7 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, {...
2013 Jun 18
0
Problems in slogin.1, sshd_config.5, ssh_config.5
...rated lists and may use the wildcard and negation operators described in the -.Sx PATTERNS -section of +PATTERNS section of .Xr ssh_config 5 . .Pp The patterns in an @@ -1094,8 +1082,7 @@ Note that certificates that lack a list of principals will not be permitted for authentication using .Cm TrustedUserCAKeys . -For more details on certificates, see the -.Sx CERTIFICATES +For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . .It Cm UseDNS -------------- next part -------------- Problems with ssh_config.5: My records indicate that you have accepted this patch, so this...