[ssh_x509] Certificate Procedures and Test Program

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Apr 26 15:03:02 EEST 2019

Hi Srini,
ssh_x509 at roumenpetrov.info wrote:
> Hello All,
>     Big Thanks for bringing up the openSSL and X509 Certificate support to
> SSH.
> now that I have installed PKIXSSH in my raspberry PI machine. I fetched the
> code from the gitlab master branch. I removed the default OpenSHH version
> and installed the PKIXSSH. I could do basic thing like logging in to SHH
> using password Authentication.
>    I want to experiment the Certificate based SSH Authentication. Following
> the Facebook's tutorial "
> https://code.fb.com/security/scalable-and-secure-access-with-ssh/" I could
> understand the process well. but the lack of examples/howto in PKIXSSH repo
> I am struck in implementing the certificate based authentication.
My comments after quick look into tutorial:
First there is industrial standard for certificates. PKIX-SSH implement 
algorithms using those certificates
and in particular it conforms to:
1) T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH 
Transport Layer Protocol, January 31, 2002, 
2) K. Igoe and D. Stebila, X.509v3 Certificates for Secure Shell 
Authentication, RFC 6187, March 2011.

Let call 1) legacy algorithms.

Page that you refer describes a proprietary format "invented" by OpenBSD 
developers and in Microsoft style those developers use the same word 
No comment on OpenBSD certificates.

Search should be for "how x.509 certificates ssh". Unfortunately it 
point to vendor tutorial from companies like Cisco or another mechanism 
used by Globus project.
Another search is for "x.509 certificate  authentication". It is not so 
useful as it mostly shows what mean industrial standard for certificates.

More or less end certificates are issued by a Certificate Authority.

PKIX-SSH regression tests (born shell scripts) use commands that create 
Certificate Authority, Intermediate Certificate Authority, client 
certificate , server certificates and etc.
All those command are based on OpenSSL commands and configuration.
NSS engine ( https://roumenpetrov.info/e_nss/ ) tests also create 
certificates. Those scrips are more simple.
Some linux distributions include scripts that create certificates for 
Apache server. Process is quite similar.

OpenCA is an open source project that may help.

With other words search for "openssl certificates" return a number of 
useful links.
In my case first one is on server https://www.digitalocean.com with path 

>    Also I am using the openSSL with engine support which works well with our
> hardware based crypto module. Anybody please help me how to use the PKIXSSH
> program for Certificate based Authentication, Probably with test commands
> or programs are greatly appreciated.
As PKIXSSH implements industry standard it does not provide tools for 
certificates management.
I guess that documentation related to projects OpenSC and SoftHSM could 

> I configured the code with the option "*--with-ssl-engine*" How to test
> whether my gen key request to my hardware module. and how to sign the csr?
> please help.

Generation and loan into secure token is out of  PKIXSSH scope.

Let me know which engine you plan to use.
Note that PKIX support certificates from e_nss and pkcs11 (from OpenSC 
project) as those engines implement some custom commands to fetch X.509 
certificate associated to a key.
With other engines only plain keys could be used.

Also ny engine that supports OpenSSL STORE2 API could be used.

> Thanks in Advance.
> Regards,
> Srini.

Roumen Petrov

Brief list of commands that I use to test use of certificates stored in 
a secure token (note expression $foo means shell variable):

* initialization
pkcs11_tool --init-token --so-pin $sopin --label test0
pkcs11_tool --init-pin --pin $userpin --login --so-pin $sopin


softhsm2_util --init-token \
     --slot $softhsm2_slot --label test0 \
     --so-pin $sopin --pin $userpin

* load of key and certificate
pkcs11_tool --verbose \
     --write-object $pkcs11_tool_key --type privkey \
     --id $key_id --label "$key_label" \
     --attr-from $pkcs11_tool_crt \
     --login --pin $userpin

pkcs11_tool \
     --write-object $pkcs11_tool_crt --type cert \
     --id $key_id --label "$key_label" \
     --login --pin $userpin

* use
sshkeygen -D $pkcs11

ssh -I $pkcs11 $SSH_HOST

Please see command manual pages for details.

More information about the ssh_x509 mailing list