Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Certificate-based SSH logins #309

Open
gboor opened this issue Jun 6, 2024 · 1 comment
Open

Feature request: Certificate-based SSH logins #309

gboor opened this issue Jun 6, 2024 · 1 comment

Comments

@gboor
Copy link

gboor commented Jun 6, 2024

Hello all!

We have quite a fleet of field devices to manage and handle SSH authentication with certificate-based logins, issuing certificates with a short lifetime for maintenance sessions.
A not insignificant part of our fleet consists of Teltonika devices, which all run dropbear as the SSH server. We can't apply this strategy with those and still need to maintain public keys for dozens of users across dozens of devices.

Would it be possible to add certificate-based authentication to dropbear? I can contribute here as well if needed, if someone can point me in the right direction (i.e.; where would this go in the source? Is svr-authpubkey.c a good place to start?).

@mkj
Copy link
Owner

mkj commented Jun 11, 2024

Yes svr-authpubkey.c would be a start. Here are some quick thoughts on what would be required (only looking at server/auth signature verify support for now):

  • Add new signkey_names entries in signkey.c and enums for signkey_type and signature_type for "[email protected]" and the other types. Most of them have the same signkey/signature, but RSA will have [email protected] as the signature name (similarly to the existing DROPBEAR_SIGNATURE_RSA_SHA256).
  • Each of the certificate types will need a new buf_rsa_cert_verify() etc function. Those would be in rsa.c etc. It would extract the public key from the encoded certificate, and then pass that to the underlying buf_rsa_verify, as well as verifying the certificate's signature against the signature key.
  • When handling certificate keys, checkpubkey_line() needs to instead look for cert‐authority entries in authorized_keys, and compare the authorized_keys entry with the encoded certificate key's signature key.
  • Options encoded in a certificate key should somehow get passed (and override) those in svr-authpubkeyoptions.c. This is mandatory at least for critical options, and probably worth doing for all the extensions.
  • valid principals needs to be checked against the user logging in. OpenSSH's spec is a bit lacking, my first guess is those are comma separated (though is , a valid in a username? who knows!).
  • Date validity before/after needs checking, and hopefully all those routers are running NTP! Maybe that could go in buf_rsa_cert_verify(), or perhaps alongside the principals check, I'm not sure.

Specs from https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants