Support for ssh-rsa-cert-v01 certificates

[robertkentish]

I'd like to implement support for ssh-rsa-cert-v01@openssh.com (and others) type certificate authentication and am looking for some guidance on the best way to implements this.

Looking at the code I propose to create a new PrivateKeyCertAuthenticationMethod class and associated CertificateHostAlgorithm to be used instead of the current PrivateKey/KeyHostAlgorithm classes. This would make the high level connection code something like

var keyFile = new PrivateKeyFile(@"C:\temp\ssh_keys\id_rsa", "xxxx");
var certFile = new PublicKeyCertFile(@"C:\temp\ssh_keys\id_rsa-cert.pub");
var authMethod = new PrivateKeyCertAuthenticationMethod("user", keyFile, certFile);
var connectionInfo = new ConnectionInfo("192.168.1.1", "user", authMethod);

using (var client = new SshClient(connectionInfo))
{
    client.Connect();
}

What I'm wondering though, is this the best way to structure things or should I create only the CertificateHostAlgorithm and place some switching logic in the PrivateKeyFile class to swap out the HostAlgorithm?

Just looking for a bit of direction before I put through a huge PR that gets rejected... :-)

[nokinger]

Hi there,

has anybody some stuff regarding the certificate authentication?
Or @robertkentish did you implement something?

[robertkentish]

Hi @nokinger ,
I did end up getting it working but was waiting on guidance on the PR and so haven't pushed up any of my mods yet. I'll clean up the local branch tomorrow and push up the changes to my fork here under the allow_signed_keys branch

[nokinger]

thanks @robertkentish that will be nice, I found also a fork what contains a pretty simple implementation. But yesterday there was to many interruptions, so today i will have a try for that fork.

[robertkentish]

@nokinger I've just pushed up my changes so if you still need, feel free to try them.

[nokinger]

i didn't have any knowledge about the ssh-rsa-cert-v01@openssh.com in deep and so on. But when i use your code as it is, it will fail.
I just changed your code base like this:

var message = new RequestMessagePublicKey(ServiceName.Connection, Username, CertificateFile.HostCertificate.Name, CertificateFile.Data);

Before the "CertificateFile.HostCertificate.Data" has been used.
Now it is changed to use the simple Base64 Encoded String "CertificateFile.Data", and that works for me!

Regards
Martin

[robertkentish]

I'm no expert on the cert file format either but I'm guessing that somehow a difference in how the original pubkey files were signed means the Base64 data doesn't decode properly to the RsaCertificateData class and therefore doesn't covert to the SshCertificateData class.

How are you generating the original keys and how are you signing them?

[nokinger]

i did it like this:

1. Master key for CA:

ssh-keygen -t rsa -b 4096 -f my_master_key_ca

2. User Key Pair:

ssh-keygen -t rsa

3. Sign User Public Key:

ssh-keygen -s my_master_key_ca -I myuser -n root id_rsa.pub

i didn't use the -V attribute in step 3. Therefor the certificate is valid for "forever".

There was also a problem with your code, because i got an ArgumentOutOfRangeException (due i did not set an expiration date (in step3). See this commit1. Okay it will be better when the validBefore and validAfter bytes are checked for "0xFF", as just catch the out of range exception and set the date to DateTime.MaxValue... By the way it works :)

[nokinger]

additional i add the PrivateKeyCertAuthenticationMethod.cs and the PublicKeyCertFile.cs as link into the Renci.SshNet.NET35.csproj file. Otherwise the net35 build has not this classes. See this commit

[qcc-na]

Any update on this?

[sjthomsen]

Also curious if there's any update on this?

[achuchev]

Any update on this?

[markbearden]

Looks like the attempt at this was never merged - I see PR still open, from 3.5 years ago: #595

[sevensolutions]

I'am also waiting for this.
I also cannot get the fork working. The SSH connection gets closed imediately.
"An established connection was aborted by the server."

[WojciechNagorski]

The quickest method will be to update, test, and complete PR #595. I guarantee I will test and merge if everything works.
We do the project after hours, without any profits.

[sevensolutions]

@robertkentish are you still working ln this PR?
If not, can you maybe add me as a contributor to your repo then i will try to finalize it.

[Rob-Hague]

I have a branch which is not ready for presentation but in theory is feature-complete. https://github.com/Rob-Hague/SSH.NET/tree/certificates

Last I remember it had a bunch of errors after merging in the recent analyzer changes, and it needs a bunch of unit and integration tests added.

I'll get round to finishing it at some point but @sevensolutions if you are motivated then please feel free to PR into my branch to push it along, and once it's ready we can PR into the main repo.

[sjthomsen]

Hey @Rob-Hague.
Any chance this is close to completion? What's necessary to pull this across the finish line?

[Rob-Hague]

I've rebased it but I've otherwise not touched it since my last comment. It needs test coverage and motivation

[kakins]

@Rob-Hague I have a pretty strong interest in seeing this feature happen. I can definitely look at writing some tests, but I'd need time to ramp up.

However, I pulled down the branch and tried connecting to my device. It still seems to be preventing the connection, even though I can using ssh in the terminal with the cert.

I still get Renci.SshNet.Common.SshAuthenticationException: Permission denied (publickey).

The auth failure is {SSH_MSG_USERAUTH_FAILURE publickey,password,keyboard-interactive (PartialSuccess:False)}

[Rob-Hague]

@kakins Great. Please see Rob-Hague#1. It's quite possible it doesn't work at all, but I think it's close.