[ssh_x509] Certificate Procedures and Test Program

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Apr 27 10:09:59 EEST 2019

Thanks Roumen Petrov,
   Firstly I am using Microchip's ATECC508A this chip has the engine
support (*ateccx08*) for the OpenSSL, so any openssl commands like genkey,
req will all dedicated to Hardware firmware.
Of-course this chip supports PKI Algorithms ECDSA, ECDH, and the X509
Certificate format. While configuring these crypto module for both Root and
Signer I have got the Root CA certificate in .Der format. and I have also
got a software release by Microchip which can sign/create the certificate
for, n number of request using my Root module. So my intention to go for
the Certificate based Authentication of SSH session is to have a better
scale and control the user login while Diagnosing the board for maintenance.
Below is the steps in my mind to accomplish my requirement.
1) Install ROOT CA Certificate(or only the public key) to the board which
runs the SSH Server during provisioning.
2) Generate CSR from the client machine (Laptop) and get the certificate
from Root module every time when maintenance to the board is needed.
3) Use this new certificate to reach the board.

I Believe the above steps can be achieved using PKIXSSH.

My Reply/clarification in-line.


On Fri, Apr 26, 2019 at 8:03 PM <ssh_x509 at roumenpetrov.info> wrote:

> Hi Srini,
> ssh_x509 at roumenpetrov.info wrote:
> > Hello All,
> >     Big Thanks for bringing up the openSSL and X509 Certificate support
> to
> > SSH.
> > now that I have installed PKIXSSH in my raspberry PI machine. I fetched
> the
> > code from the gitlab master branch. I removed the default OpenSHH version
> > and installed the PKIXSSH. I could do basic thing like logging in to SHH
> > using password Authentication.
> >    I want to experiment the Certificate based SSH Authentication.
> Following
> > the Facebook's tutorial "
> > https://code.fb.com/security/scalable-and-secure-access-with-ssh/" I
> could
> > understand the process well. but the lack of examples/howto in PKIXSSH
> repo
> > I am struck in implementing the certificate based authentication.
> My comments after quick look into tutorial:
> First there is industrial standard for certificates. PKIX-SSH implement
> algorithms using those certificates
> and in particular it conforms to:
> 1) T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
> Transport Layer Protocol, January 31, 2002,
> draft-ietf-secsh-transport-12.txt.
> 2) K. Igoe and D. Stebila, X.509v3 Certificates for Secure Shell
> Authentication, RFC 6187, March 2011.
> Let call 1) legacy algorithms.
> Page that you refer describes a proprietary format "invented" by OpenBSD
> developers and in Microsoft style those developers use the same word
> certificate.
> No comment on OpenBSD certificates.
> Search should be for "how x.509 certificates ssh". Unfortunately it
> point to vendor tutorial from companies like Cisco or another mechanism
> used by Globus project.
> Another search is for "x.509 certificate  authentication". It is not so
> useful as it mostly shows what mean industrial standard for certificates.
> More or less end certificates are issued by a Certificate Authority.
> PKIX-SSH regression tests (born shell scripts) use commands that create
> Certificate Authority, Intermediate Certificate Authority, client
> certificate , server certificates and etc.
> All those command are based on OpenSSL commands and configuration.
> NSS engine ( https://roumenpetrov.info/e_nss/ ) tests also create
> certificates. Those scrips are more simple.
> Some linux distributions include scripts that create certificates for
> Apache server. Process is quite similar.
> OpenCA is an open source project that may help.
> With other words search for "openssl certificates" return a number of
> useful links.
> In my case first one is on server https://www.digitalocean.com with path
> /community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
> .
> >    Also I am using the openSSL with engine support which works well with
> our
> > hardware based crypto module. Anybody please help me how to use the
> > program for Certificate based Authentication, Probably with test commands
> > or programs are greatly appreciated.
> As PKIXSSH implements industry standard it does not provide tools for
> certificates management.
> I guess that documentation related to projects OpenSC and SoftHSM could
> help.
> > I configured the code with the option "*--with-ssl-engine*" How to test
> > whether my gen key request to my hardware module. and how to sign the
> csr?
> > please help.
> Generation and loan into secure token is out of  PKIXSSH scope.
> Let me know which engine you plan to use.
> Note that PKIX support certificates from e_nss and pkcs11 (from OpenSC
> project) as those engines implement some custom commands to fetch X.509
> certificate associated to a key.
> With other engines only plain keys could be used.
> Also ny engine that supports OpenSSL STORE2 API could be used.

>>>> If the PKIXSSH is supported by OpenSSL, I have already working OpenSSL
engine "*ateccx08*" for exampe I use to pass the below command to generate
the Key pair.
          "*openssl engine ateccx08 -t -post GET_DEVICE_KEY:./key_data.pem*"

> > Thanks in Advance.
> >
> > Regards,
> > Srini.
> Regards,
> Roumen Petrov
> P.S.
> Brief list of commands that I use to test use of certificates stored in
> a secure token (note expression $foo means shell variable):
> * initialization
> pkcs11_tool --init-token --so-pin $sopin --label test0
> pkcs11_tool --init-pin --pin $userpin --login --so-pin $sopin
> or
> softhsm2_util --init-token \
>      --slot $softhsm2_slot --label test0 \
>      --so-pin $sopin --pin $userpin
> * load of key and certificate
> pkcs11_tool --verbose \
>      --write-object $pkcs11_tool_key --type privkey \
>      --id $key_id --label "$key_label" \
>      --attr-from $pkcs11_tool_crt \
>      --login --pin $userpin
> pkcs11_tool \
>      --write-object $pkcs11_tool_crt --type cert \
>      --id $key_id --label "$key_label" \
>      --login --pin $userpin
> * use
> sshkeygen -D $pkcs11
> ssh -I $pkcs11 $SSH_HOST
> Please see command manual pages for details.
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

More information about the ssh_x509 mailing list