Support for ssh-rsa-cert-v01 certificates

[robertkentish]

I'd like to implement support for ssh-rsa-cert-v01@openssh.com (and others) type certificate authentication and am looking for some guidance on the best way to implements this.

Looking at the code I propose to create a new PrivateKeyCertAuthenticationMethod class and associated CertificateHostAlgorithm to be used instead of the current PrivateKey/KeyHostAlgorithm classes. This would make the high level connection code something like

var keyFile = new PrivateKeyFile(@"C:\temp\ssh_keys\id_rsa", "xxxx");
var certFile = new PublicKeyCertFile(@"C:\temp\ssh_keys\id_rsa-cert.pub");
var authMethod = new PrivateKeyCertAuthenticationMethod("user", keyFile, certFile);
var connectionInfo = new ConnectionInfo("192.168.1.1", "user", authMethod);

using (var client = new SshClient(connectionInfo))
{
    client.Connect();
}

What I'm wondering though, is this the best way to structure things or should I create only the CertificateHostAlgorithm and place some switching logic in the PrivateKeyFile class to swap out the HostAlgorithm?

Just looking for a bit of direction before I put through a huge PR that gets rejected... :-)

[nokinger]

Hi there,

has anybody some stuff regarding the certificate authentication?
Or @robertkentish did you implement something?

[robertkentish]

Hi @nokinger ,
I did end up getting it working but was waiting on guidance on the PR and so haven't pushed up any of my mods yet. I'll clean up the local branch tomorrow and push up the changes to my fork here under the allow_signed_keys branch

[nokinger]

thanks @robertkentish that will be nice, I found also a fork what contains a pretty simple implementation. But yesterday there was to many interruptions, so today i will have a try for that fork.

[robertkentish]

@nokinger I've just pushed up my changes so if you still need, feel free to try them.

[nokinger]

i didn't have any knowledge about the ssh-rsa-cert-v01@openssh.com in deep and so on. But when i use your code as it is, it will fail.
I just changed your code base like this:

var message = new RequestMessagePublicKey(ServiceName.Connection, Username, CertificateFile.HostCertificate.Name, CertificateFile.Data);

Before the "CertificateFile.HostCertificate.Data" has been used.
Now it is changed to use the simple Base64 Encoded String "CertificateFile.Data", and that works for me!

Regards
Martin

[robertkentish]

I'm no expert on the cert file format either but I'm guessing that somehow a difference in how the original pubkey files were signed means the Base64 data doesn't decode properly to the RsaCertificateData class and therefore doesn't covert to the SshCertificateData class.

How are you generating the original keys and how are you signing them?

[nokinger]

i did it like this:

1. Master key for CA:

ssh-keygen -t rsa -b 4096 -f my_master_key_ca

2. User Key Pair:

ssh-keygen -t rsa

3. Sign User Public Key:

ssh-keygen -s my_master_key_ca -I myuser -n root id_rsa.pub

i didn't use the -V attribute in step 3. Therefor the certificate is valid for "forever".

There was also a problem with your code, because i got an ArgumentOutOfRangeException (due i did not set an expiration date (in step3). See this commit1. Okay it will be better when the validBefore and validAfter bytes are checked for "0xFF", as just catch the out of range exception and set the date to DateTime.MaxValue... By the way it works :)

[nokinger]

additional i add the PrivateKeyCertAuthenticationMethod.cs and the PublicKeyCertFile.cs as link into the Renci.SshNet.NET35.csproj file. Otherwise the net35 build has not this classes. See this commit

[qcc-na]

Any update on this?

[sjthomsen]

Also curious if there's any update on this?

[achuchev]

Any update on this?

[markbearden]

Looks like the attempt at this was never merged - I see PR still open, from 3.5 years ago: #595