ssh certificate support
Will Cosgrove
will at panic.com
Mon Sep 13 22:38:46 CEST 2021
The only cert that is currently supported is using the OpenSSL backend with ecdsa-sha2-nistp256/521/384-cert-v01 at openssh.com certs.
Cheers,
Will
> On Sep 13, 2021, at 1:34 PM, Benjamin C Forsyth via libssh2-devel <libssh2-devel at lists.haxx.se> wrote:
>
> Yes, the certificates are generated by OpenSSL or compatible crypto library.
>
> A client will get their ssh public key signed by the same Certificate Authority that the OpenSSH server has been configured with and then present their signed public key as part of the OpenSSH authentication process.
>
> The specific use case I am interested in, is for multi-factor authentication. Outside of the OpenSSH workflow, authorize and get a clients SSH public key signed for a limited amount of time. Then use libssh2 inside of a client application to execute remote commands on a server.
>
> Our client application today uses SSH public-private key pairs and libssh2 to execute remote commands and we are looking to expand that to support the signed public keys.
>
> thanks,
>
> Ben
>
> ----- Original message -----
> From: "Felipe Gasper" <felipe at felipegasper.com>
> To: "libssh2 development" <libssh2-devel at lists.haxx.se>
> Cc: "Benjamin C Forsyth" <ben.forsyth at us.ibm.com>
> Subject: [EXTERNAL] Re: ssh certificate support
> Date: Mon, Sep 13, 2021 10:29 AM
>
> > On Sep 13, 2021, at 12:00 PM, Benjamin C Forsyth via libssh2-devel <libssh2-devel at lists.haxx.se> wrote:
> >
> > I was curious about using ssh certificates with libssh2. I dug around a little and it seemed that support for some of the lower level crypto methods are not available. I wasn't sure if I was doing something incorrect.
> >
> > Has anyone done authentication with ssh based certificates using libssh2?
>
> Are you talking about SSL/TLS certificates?
>
> This sounds like telnet-over-TLS, which you’d have to authenticate via a TLS client certificate. I’m not sure if a standard (e.g., standard port) exists for that.
>
> If you don’t need authentication, OpenSSL’s s_client can do what you want. Some netcat implementations (e.g., Eric Jackson’s rewrite) can do that, too.
>
> -FG
>
>
>
> --
> libssh2-devel mailing list
> libssh2-devel at lists.haxx.se
> https://lists.haxx.se/listinfo/libssh2-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.haxx.se/pipermail/libssh2-devel/attachments/20210913/6f5577a6/attachment-0001.htm>
More information about the libssh2-devel
mailing list