Re: [Cryptography-dev] Generate a signed SSH user authorized key

Thu, 21 Sep 2023 10:08:59 -0700

SSH certificates are not X.509, you’ll need to use https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#ssh-certificate-builder for building them.

-Paul

On Sep 21, 2023, at 9:59 AM, John Walstra via Cryptography-dev <[email protected]> wrote:


I’m trying to use cryptography to generate a SSH authorized key that is use when the SSH server is set up with TrustedUserCAKeys.

On the Linux command line, the keys are setup as follows

$ ssh-keygen -t rsa -b 2048 -f test
$ ssh-keygen -s /path/to/trusted_user_ca_pk -I test -V +52w test.pub

That will create a test-cert.pub

$ cat test-cert.pub
[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNz... K8v+ESbFDSmb+Z9YIE7owjQ2m92s= [email protected]

$ ssh-keygen -L -f test-cert.pub
test-cert.pub:
        Type: [email protected] user certificate
        Public key: RSA-CERT SHA256:pXIIcD3P9mD7BLzYYKlx70kNE4y4pkEuJmFsRuUrpFc
        Signing CA: RSA SHA256:a16H80IMdKLq9WZfaMqAEB9kYx7zFzmbwQP3cOeELPI (using rsa-sha2-512)
        Key ID: "test"
        Serial: 0
        Valid: from 2023-09-19T23:08:00 to 2024-09-17T23:09:25
        Principals: (none)
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc


Since this appears to be a certificate, I was trying to use x509 to generate the certificate.

subject = Name([
    x509.NameAttribute(NameOID.COMMON_NAME, oid),
])
csr = x509.CertificateSigningRequestBuilder().subject_name(
    subject
).sign(private_key, hashes.SHA256(), default_backend())

# Sign the CSR with the CA private key. The ( ) allows
user_certificate = (
    x509.CertificateBuilder()
    .subject_name(csr.subject)
    .issuer_name(subject)
    .public_key(csr.public_key())
    .serial_number(x509.random_serial_number())
    .not_valid_before(datetime.datetime.utcnow())
    .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=days))
    .sign(ca_private_key, hashes.SHA256(), default_backend())
)
authorized_key = user_certificate.public_bytes(
    encoding=serialization.Encoding.PEM,
)
The only encoding that is allowed is PEM, and no formatting is allowed. 
I’ve tried getting the public_key() from user_certificate, and formatting it with public_bytes(), but that just gave me a ssh-rsa algorithm key (no cert).
If this is the correct path to get what I want, how do I get this into an encoding/format for OpenSSH?

Thanks,
John

_______________________________________________
Cryptography-dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to