Open jacobgreenleaf opened 1 year ago
Hi there, I'm not familiar with SSH Certificates at all. Is this a new proposal? Do you know of any other clients supporting this technology? We use libssh2 and openssl, do you happen to know if these libraries support these certificates? Thanks.
Hi there, I'm not familiar with SSH Certificates at all. Is this a new proposal?
SSH certificates are not new (I believe first added in OpenSSH 5.4 around March 2010), but they have perhaps gained a bit of popularity in recent years.
The key difference is that you continue to generate a public/private key pair as before, but when you connect to the server you also provide the certificate in addition. Here are a few things that describe it in more detail from a user perspective:
It might be related to #522 but I wanted to open this ticket separately. I think SSH certificates can be provided by ssh-agent (also part of OpenSSH), but I don't think ssh-agent is present on iOS. That is, it depends on what "SSH agent support" means. If it means that you can push keys that are stored in the KeePass database into ssh-agent, then it's a different issue. If it means that when using Strongbox on some platform where you also are using ssh-agent, that the keys you use for SFTP authentication can be fetched from ssh-agent (such as if you leave both the password and private key fields empty), then that may be applicable (see https://www.libssh2.org/libssh2_agent_userauth.html)
Do you know of any other clients supporting this technology? We use libssh2 and openssl, do you happen to know if these libraries support these certificates?
They're unrelated to SSL except that they're a similar idea (PKI / certificates) but SSH certificates are much simpler than X.509.
libssh2
does support SSH certificates, at least as of the latest release (ECDSA as of the latest 1.10 release in May 2021, and RSA as of this June although unreleased. It looks like you are supposed to pass the certificate as the public key? see https://github.com/libssh2/libssh2/pull/570/files#diff-ad4324fdd7637be818cceffb6bc77116b79729b326f4983d86c40cf4afb815a5R10. It's definitely confusing as far as the API goes though, and I'm not familiar with it (e.g. https://github.com/libssh2/libssh2/issues/652)
I brought up NMSSH
since you use that which wraps libssh2
, but I think it may just work if you do as above (passing the certificate as public key), since NMSSH
does have APIs for passing down both the public and private key separately? Unclear to me.
See also for example:
OK, thanks for the extra info. We can add to our backlog.
It would be nice if SSH certificates were supported.
It doesn't appear thatNMSSH
supports them either.Steps to reproduce:
authorized_keys
entry, generate SSH key / certificate, etc:ssh
:Copy SSH certificate and private key over to device & configure Strongbox SFTP to use the private key from Files, with the OpenSSH convention of having the certificate present at
keyname-cert.pub
Connect (Test & Save)
Expected result: Connects OK
Actual result: auth fail
iOS app: Pro 1.57.1
OpenSSH server logs below. It appears to be using the key as-is and not looking for the
-cert.pub
certificate file.Compared to
ssh -i iphone-12-mini jacob@server
: