<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" >Yes, the certificates are generated by OpenSSL or compatible crypto library.</div>
<div dir="ltr" > </div>
<div dir="ltr" >A client will get their ssh public key signed by the same Certificate Authority that the OpenSSH server has been configured with and then present their signed public key as part of the OpenSSH authentication process.</div>
<div dir="ltr" > </div>
<div dir="ltr" >The specific use case I am interested in, is for multi-factor authentication. Outside of the OpenSSH workflow, authorize and get a clients SSH public key signed for a limited amount of time. Then use libssh2 inside of a client application to execute remote commands on a server.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Our client application today uses SSH public-private key pairs and libssh2 to execute remote commands and we are looking to expand that to support the signed public keys.</div>
<div dir="ltr" > </div>
<div dir="ltr" >thanks,</div>
<div dir="ltr" > </div>
<div dir="ltr" >Ben</div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: "Felipe Gasper" <felipe@felipegasper.com><br>To: "libssh2 development" <libssh2-devel@lists.haxx.se><br>Cc: "Benjamin C Forsyth" <ben.forsyth@us.ibm.com><br>Subject: [EXTERNAL] Re: ssh certificate support<br>Date: Mon, Sep 13, 2021 10:29 AM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >> On Sep 13, 2021, at 12:00 PM, Benjamin C Forsyth via libssh2-devel <libssh2-devel@lists.haxx.se> wrote:<br>><br>> I was curious about using ssh certificates with libssh2. I dug around a little and it seemed that support for some of the lower level crypto methods are not available. I wasn't sure if I was doing something incorrect.<br>> <br>> Has anyone done authentication with ssh based certificates using libssh2?<br><br>Are you talking about SSL/TLS certificates?<br><br>This sounds like telnet-over-TLS, which you’d have to authenticate via a TLS client certificate. I’m not sure if a standard (e.g., standard port) exists for that.<br><br>If you don’t need authentication, OpenSSL’s s_client can do what you want. Some netcat implementations (e.g., Eric Jackson’s rewrite) can do that, too.<br><br>-FG</font></div></blockquote>
<div dir="ltr" > </div></div><BR>
<BR>