Created attachment 2679 [details] [PATCH] Add ssh -z option to present certificates on command line Currently, it is difficult for users to manage having multiple certificates for a single key pair. One of the easiest ways to manage the certificates is to have a copy of the key pair for every certificate. Some of these concerns were brought up in the following thread: http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-September/031629.html The goal of this patch is to make it easier for users to handle presenting specific certificates during ssh. With this patch, users may specify one or more certificates to be used for authentication on the command line with the '-z' argument when running ssh. A user may also include a specific certificate in the ssh_config file as a CertificateFile. For successful authentication, the key pair associated with the certificate must also be presented during the ssh. This key pair may be loaded in a currently-running ssh agent, for example, or provided as an identity file on the command line. Since the specified certificates can be used in combination with keys pairs in the agent, users can avoid having to enter a passphrase before using a certificate. The code for this patch is closely modeled after that of identity files. However, there are some differences to account for making sure the loaded file is a certificate, as well as identifying which key pair is associated with the certificate.
Thanks for writing this and especially for taking the time to write a regress test too. I'll take a look at this, but I'm not sure about using up one of our few remaining getopt() characters for this - multiple certificates are a fairly rare situation.
We plan to use multiple certificates where a centralize authentication and authorization service will provide limited-use ssh certificate endorsements on user's ssh keys to uniquely access servers in our network (currently consisting of ~200000+ servers). In this model (which plans to replace our existing ssh proxy model), users will need to juggle many certificates spanning each access attempt and even each command they would like to run remotely. Having the functionality to select a certificate within ssh itself will be amazingly helpful. We have an ssh-certificate-agent application that can be used to provide this functionality now by proxying the communication from ssh to the ssh-agent where the ssh-certificate-agent can load the public certificate and can delegate signing to the ssh-agent though this is not an optimal solution. A patch for the ssh-certificate-agent (also authored by mebhat) attached if interested. With respect to using a command line option of -z, what would the alternative be? The other potential solution I could envision would be to overload the use of -i and if the provided argument ends with -cert.pub, then we treat it as we do when parsing arguments from -z? I think I would prefer isolating the behavior to a separate option, though completely open to other alternatives.
Created attachment 2694 [details] ssh-certificate-agent proof-of-concept code ssh-certificate-agent proof-of-concept code attached. The ssh certificate agent allows the user to ssh using specific input certificates. It communicates with the regular ssh agent to get the certificate signed. It does not support adding or removing of keys. As mentioned in my previous post, having this functionality in ssh directly would be incredibly helpful.
Created attachment 2700 [details] revised patch Here's a tweaked version of the patch. Changes are: - add_certificate_file() never used its "dir" argument; remove it and save some code - merge load_certificate_files() into load_public_identity_files(); much of the code is shared (especially % expansion) - if any CertificateFiles have been specified, skip trying to load key-cert.pub by default. I figure that if users are specifying certificates themselves then they don't want implicit behaviour to confuse things. - log (at debug2 level) which private key is being used for the certificate and cases where no private key was found for a given certificate - Simplify the matching of certificates to private keys in sign_and_send_pubkey() and use it for all certificates (i.e. both CertificateFile and implicit *-cert.pub ones). - Tweak the wording of the manpage a little and mention the interaction with IdentitiesOnly. I've left the ssh -z option in there for now. The alternative to an explicit flag is making users use -oCertificateFile=...
Reviewed the proposed changes and really like the new approach. Also confirmed that the proposed patch functions as expected. As for the -z option, I completely forgot that -oCertificateFile was an option. I, personally, would be fine dropping -z in favor of -oCertificateFile as to not pollute the getopt space as you've mentioned previously.
patch applied - this will be in openssh-7.2. Thanks!
Close all resolved bugs after 7.3p1 release