seaniedan
commented
3 years ago This would be a great feature, I use certificates all the time! There's some more good information on Red Hat's site.
Open isontheline opened 3 years ago
seaniedan
commented
3 years ago This would be a great feature, I use certificates all the time! There's some more good information on Red Hat's site.
crahan
commented
1 year ago Adding my vote for this feature as well!
isontheline
commented
1 year ago Thank you Thomas @crahan for your feedback 👍
isontheline
commented
1 year ago Hello everyone 👋
I've read again all documentation and didn't found which vital parts are missing within WebSSH : the CA process is managed by another server, isn't it?
So which part is missing inside WebSSH in order to have certificates working out of the box?
Sorry if I don't have understood a hard point.
crahan
commented
1 year ago There are 2 parts that are missing, I believe. But someone should definitely correct me if I'm interpreting things incorrectly.
First, there needs to be a way to not only add a public/private SSH key pair to WebSSH, but also the additional signed certificate file itself. When connecting using an SSH certificate, the server will verify it is signed by the proper CA and contains one or more accepted principal name entries. If those requirements are met, the server will allow the client to log in.
Secondly, there needs to be an option to edit the .ssh/known_hosts file and add an entry like @cert-authority *.example.com ssh-rsa AAAAB3N... which tells the client to trust all SSH servers that identify themselves with a HostCertificate that's signed by our trusted CA.
The second option is not a hard requirement. Having it in place though prevents that typical warning message when you first connect to an SSH server, asking to confirm its identify and explicitly trust the host.
isontheline
commented
1 year ago Thank you a lot @crahan for your reply 🙏
Server verification (2) should be "easy" to implement as I already read server's identity.
I'm now searching how to implement the client authentication (1) though certificates.
haskelious
commented
1 year ago I would love to see this feature in WebSSH
isontheline
commented
1 year ago @haskelious Thanks for your feedback 🙏
This feature is postponed as I can't figure - yet - how to implement it inside WebSSH.
I need to develop a custom implementation as I'm not using any open sourced library for the SSH part.
hanjo
commented
3 months ago Any update on the implementation timeline? Pretty please :-)
isontheline
commented
3 months ago Unfortunately, as of today, I wasn't able to make the underlying library to use SSH Certificates
Describe the feature Hello!
I’ve been using you wonderful app for a few years. Recently I’ve started using SSH CERTIFICATES (not keys!) and wonder if your app could support them?
https://smallstep.com/blog/use-ssh-certificates/ https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39
If you don’t use certificates (and not many people even know about them), they’re great! Maybe you could write a blogpost about them to drum up some app purchases! Let me know if I can use them in your app!
Sean