How to set up OpenSSH to use x509 PKI for authentication?

  • I do not mean simply putting the public RSA key of a x.509 certificate into ~/.ssh/authorized_keys - I'm looking for a way to set up a ssh such that x.509 certificates signed by a pre-defined CA will automatically be granted access to the linked user account. RFC 6187 seems to suggest such a functionality, but I can't find any documentation on this, or whether it is implemented in OpenSSH at all.

    Here's a more elaborate description of what I want to do:

    • A CA ("SSH-CA") is set up
    • This CA is used to sign user certificates with keyUsage=digitalSignature (and maybe the id-kp-secureShellClient extendedKeyUsage field)
    • This certificate can now be used to log in on a server. The server does not require the public key being present in the authorized_keys. Instead, it is set up to trust the SSH-CA to verify the public key and signature of the certificate (or certificate chain) and the username/UID (probably directly in the subjectAltName field, or maybe using some server-side mapping) before the usual RSA authentication takes place

    So, (how) can this be achieved with OpenSSH, and if it requires a patch how can client-side modifications be kept minimal?

    As an alternative I guess one could also use any S/MIME certificate plus a username to email-address mapping, without requiring an own CA. The client could also still use only the private RSA key and a certificate server is used obtain a certificate from a public key, additionally offering the possibility to use PGP certificates as well (e.g. via monkeysphere) without the user requiring any knowledge about all this as long as they simply provide a public key.

    If it's not natively possible, I guess I could come up with a semi-automatic "implementation" of this by letting a script on the server automatically check a somehow else submitted certificate via openssl (or gnupg) and have the public key be put to the respective user's authorized_keys file - although at that point I am probably more or less re-doing the monkeyshere project...

  • TildalWave

    TildalWave Correct answer

    8 years ago

    OpenSSH does not officially support x.509 certificate based authentication:

    The developers have maintained a stance that the complexity of X.509 certificates introduces an unacceptable attack surface for sshd. Instead, they have [recently] implemented an alternative certificate format which is much simpler to parse and thus introduces less risk.


    OpenSSH just uses the low-level cryptographic algorithms from OpenSSL.

    However Roumen Petrov publishes OpenSSH builds that do include X.509 support, and you could try with those.

    X.509 certificates can [be] used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.

    Roumen Petrov's builds can be downloaded via this page.

    Here's a Debian how-to for SSH with authentication key instead of password that might also prove useful in setting up your OpenSSH to accept x509 PKI for user authentication.

    The Debian link is just about the usual key setup, but Roumen Petrov's build sounds like the solution

    Please be careful with Roumen Petrov's build and **do not** reuse the same x509 certificate for ssl/https. Bugs like 3-Shake show that it is hard to use crypto securely within just the SSL protocol. Security of SSH implementations is never tested in this SSH-SSL key-reuse scenario!

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM