search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.31k stars 750 forks source link

Support for signed certificates? #1494

Open greg-dfo opened 4 years ago

greg-dfo commented 4 years ago

"OpenSSH for Windows" version OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

Client OperatingSystem Windows 10 Enterprise

Does OpenSSH for Windows support signed certs?

I feel like it does, as ssh-keygen picks up the certificate no problem. However, it doesn't want to connect. The same steps seem to work fine from linux. 

 Directory of C:\hi
11/04/2019  01:18 PM             2,013 GregDFO-cert.pub
04/16/2019  09:07 AM             1,854 GregDFO-private.key
04/16/2019  09:31 AM               389 GregDFO-public.key

C:\hi>ssh-keygen -Lf GregDFO-cert.pub
GregDFO-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ
        Signing CA: RSA SHA256:3axo+wPqiszHOTKy94Tk2gj4S6Rb6uGWKcB4s059bvg (using ssh-rsa)
        Key ID: "root"
        Serial: 17890926214909873034
        Valid: from 2019-11-01T08:52:18 to 2019-11-13T19:52:48
        Principals:
                cormierg
        Critical Options: (none)
        Extensions:
                permit-pty

However, when trying to use it, ssh spits out invalid format

C:\hi>ssh -i GregDFO-private.key -i GregDFO-cert.pub cormiergr@1.2.3.4

     Unauthorized Access Prohibited / Acces non-autorise interdit

Enter passphrase for key 'GregDFO-private.key': *****
Load key "GregDFO-cert.pub": invalid format

A few extra verbose tidbits

Enter passphrase for key 'GregDFO-private.key':
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: GregDFO-cert.pub RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ explicit
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: GregDFO-cert.pub RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ explicit
debug1: sign_and_send_pubkey: no separate private key for certificate "GregDFO-cert.pub"
Load key "GregDFO-cert.pub": invalid format
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
ambakshi commented 2 years ago

Did you add a TrustedUserCAKeys line sshd_config?

TrustedUserCAKeys __PROGRAMDATA__/ssh/trusted_ssh_ca_keys

It definitely works for me (OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2)

ambakshi commented 2 years ago

Oh nm, you meant using the windows client to connect to a server that otherwise works. I think there is a hint in this: debug1: sign_and_send_pubkey: no separate private key for certificate "GregDFO-cert.pub" Load key "GregDFO-cert.pub": invalid format

Try naming the files so the pub and cert get picked up as defaults (using GregDFO, GregDFO.pub and keeping GregDFO-cert.pub), then pass -i GregDFO, it should pick up the rest.

godeater commented 1 year ago

Did you add a TrustedUserCAKeys line sshd_config?

TrustedUserCAKeys __PROGRAMDATA__/ssh/trusted_ssh_ca_keys

It definitely works for me (OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2)

Could you share the setup you have which is working?

I'm trying to set this up myself, and my windows sshd is complaining :

sshd: userauth_pubkey: unsupported public key algorithm: rsa-sha2-256-cert-v01@openssh.com [preauth]

Are the certs you're using signed with a different algorithm?