On Mon, Nov 10, 2025 at 7:33 AM Dilip Modi <[email protected]> wrote:
> > Hello Guacamole Community, > > > I hope this email finds you well. > > > I am currently exploring advanced authentication methods for SSH > connections through Guacamole and would like to inquire about the specifics > of using SSH certificate-based authentication. I have a few questions > regarding this and would be very grateful for any insights or guidance you > can provide. > > > My main goal is to understand how to achieve host certificate-based > authentication, where the Guacamole client verifies the SSH server's host > certificate against a Certificate Authority (CA), rather than just a > standard host key. > > > This was added to Guacamole in version 1.6.0 via the following Jira issues (and their related commits): https://issues.apache.org/jira/browse/GUACAMOLE-1290 > To help clarify, here are my specific questions: > > 1. *How does certificate-based authentication currently work with SSH > in Guacamole?* From what I can see, Guacamole supports standard public > key authentication for users (using a private/public key pair) and host key > verification (using the host-key parameter). However, it's not clear if > there is built-in support for SSH certificates (user or host) as defined by > OpenSSH (i.e., keys signed by a CA). > > Guacamole should support it with either: * The use of a private key pair issued and signed by the CA and the correct configuration of the target OpenSSH server. * The use of a private key + a public key signed by the same CA configured on the target OpenSSH server. > > 1. *What input parameters are required to achieve SSH > certificate-based authentication?* Are there specific connection > parameters, beyond private-key, public-key, and host-key, that I would need > to provide in my configuration to make Guacamole use and trust an SSH > certificate for authentication? > > See above. > > 1. *What server-side configuration is needed?* For host certificate > authentication, I would typically configure the SSH server (sshd_config) > with HostCertificate and TrustedUserCAKeys directives. Is there any special > configuration required on the SSH server to make it compatible with > Guacamole's implementation? > > This is outside the scope of Guacamole configuration, but I believe you have the correct items. > > 1. *Is there any detailed documentation on this topic?* If this > functionality exists, could you please point me to any documentation, > guides, or examples that walk through the setup process for SSH > certificate-based authentication with Guacamole? > > The only Guacamole documentation related to this are the private-key and public-key fields in the SSH connection documentation, but I would not consider this "detailed" documentation. That said, the Guacamole side of the configuration should be pretty simple - either a private key pair issued/signed by the trusting CA, or a private key and a public key issued/signed by the CA. I would imagine some documentation should be available on the OpenSSH site or man pages that guides in how to accomplish this. -Nick
