On 10/27/21 16:26, Marco wrote:
Hi all and thanks for attention.
I have some difficulties in authentication using certificate from C
application using ssh to a server correctly configured, I think.
I've generate a private and public key and signed the public with the
certification authority private key to have -cert.pub with desired
principals (principals are in /etc/ssh/auth_principals/%u at server side)
The server is configured to recognize the CA and has authentication
principals
Using ssh from shell I have no issue.
With c application following tutorial and after setting session with
username, ip, port, I try public key using cert file,it succeed, then I
try to authenticate with private key but I have Access denied.
AFAIK the OpenSSH (ssh from shell) automatically loads the existing
-cert.pub files when it founds them alongside of the private and public
key files. I am not sure if this functionality is implemented in libssh,
but from what you describe, it looks like the case.
The certificate and public key authentication are both using the pubkey
authentication method, but they are using different "key type" (or
mechanism -- for example ssh-ed25519 or
ssh-ed25519-cert-...@openssh.com, which will use different content of
the authentication packets (you should be able to see this difference in
debug mode of both server and clients).
I think this works as expected from the protocol point of view. If you
think libssh should also try to find matching certificates and use them
for the authentication, contributions are welcomed:
https://gitlab.com/libssh/libssh-mirror
Hope it helps,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
