[ssh_x509] Have I understood how OpenSSH and X509 works?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Mar 16 16:07:36 EET 2020

C2 - PSA Sensitive


I am trying to test a connection with OpenSSH using pkixssh.

I don't understand really how the full authentication works and specially how to create the certificates with X509 standards for public key certificates validation. 

In this mail I will explain how I understand the full process I will follow to test a connection between a "client" and a "server" machine with PKIXSSH fork of OpenSSH, using X509 certificates. To make the test we will user a third machine, that we will call "control machine", machine that will act as a "Certification Authority"

In a quick summary, and if I have correctly understood, this is how it works
- X509 is a standard to sign this public keys. Signed public keys are considered valid if the Certification Authority is known.
- We can sign public keys for hosts and users
- With X509 certificates we can sign in a OpenSSH server without using passwords and without using the traditional OpenSSH private-public key authentication. This means that no user public keys must be copied on destination servers.
- In we use X509 certificates for hosts then the client will trust the OpenSSH server without the need of manually add its public key in the known_host file.

We are going to make two tests
- Test the connection for an user from the client machine to the server using a X509 certificate
- In a second step add authentication for the server host.

I have arrived to the conclusion that the next steps must be followed
- In the "control" machine: 
	- Configure and create the keys for our test certification authority
	- Send the public certification authority key to the OpenSSH daemon of the "server" machine, so our CA is recognised
- In the "client" machine:
	- create the private key and public key for the user
	- send the public key to the control machine to be signed by the c.a.
	- add the certificate to the private key file so it will be presented to the server

At this point everything should be in its place, so we could test the connection

Have I correctly understood how it works?


José Manuel Ciges Regueiro
Unix Systems Administrator & LAMP developer

More information about the ssh_x509 mailing list