PKI support for SSH certificates

Related tags

Cryptography ssh_pki
Overview

PKI certificates for SSH

Introduction

SSH certificates are limited in their usefulness - a certificate can only be signed with a single CA key, so no chains of trust can be established, and there's no way to tie them into the global PKI. But what if 🥺 ?

Should I use this?

No.

How do I use this?

Generate a CSR:

openssl req -nodes -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

and set the CN to your username. Get it signed somehow. Copy PRIVATEKEY.key to ~/.ssh/id_badidea and run:

ssh-keygen -f ~/.ssh/id_badidea -y >~/.ssh/id_badidea.pub

Take your signed certificate and encode it to base64 - if it's PEM encoded, convert to DER first:

openssl -inform pem -in signed.crt -outform der -out signed.der
base64 <signed.der >/tmp/encoded.crt

Generate a self-signed SSH certificate that embeds the base64 encoded certificate:

ssh-keygen -I badidea -s ~/.ssh/id_badidea -n $USER -O clear -O extension:x509=$(cat /tmp/encoded.crt) ~/.ssh/id_badidea.pub

and add it to your SSH agent:

ssh-add ~/.ssh/id_badidea

On your SSH server, add an AuthorizedKeysCommand to sshd_config:

AuthorizedKeysCommand /usr/local/bin/ssh_pki -certificate %k -user %i -rootCA /etc/ssh/ssh_root_ca

where ssh_root_ca is the root of the infrastructure used to sign the X509 cert.

How it works

The ssh_pki agent examines the certificate presented to it and extracts the X509 certificate from the extensions field. It ensures that this certificate has a chain of trust to the configured root CA, and then extracts the subject CN to verify that it matches the username of the account being logged into. If everything checks out, it sends a response to the SSH daemon telling it that the public key used to sign the SSH certificate is a certificate authority. Since the SSH certificate is self-signed, this results in the daemon accepting the presented certificate as evidence of user identity.

So, should I use this?

No.

Todo

Any sort of security analysis at all. The use of CN is entirely inappropriate here, but the only reason I wrote this is because I realised I could.

Owner
Matthew Garrett
Matthew Garrett
mkcert is a simple tool for making locally-trusted development certificates

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

Filippo Valsorda 35.7k Jun 26, 2022
Tooling to validate HTTPS Certificates and Connections Around Web 🕷️

Cassler - SSL Validator Tool If your read fast, it's sounds like "Cassia Eller" Tooling to validate HTTPS Certificates and Connections Around Web ??️

Matheus Fidelis 49 Apr 1, 2022
gdn is a Go module to get domain name from SSL certificates given an IP address

Get Domain Name gdn is a Go module to get domain name from SSL certificates given an IP address Installation Instructions From Source gdn requires go1

Sai Krishna Kothapalli 18 May 8, 2022
Golang Library for automatic LetsEncrypt SSL Certificates

Obtains certificates automatically, and manages renewal and hot reload for your Golang application. It uses the LEGO Library to perform ACME challenges, and the mkcert utility to generate self-signed trusted certificates for local development.

Foomo web framework 169 Jun 23, 2022
Generate and sign TSL certificates with ease.

certctl Manage certificates with ease.

Chen Zhiwei 10 Apr 10, 2022
For whatever reason you want to transfer TLS certificates in kubernetes to Qiniu CDN

Qiniu Certificate Sync For whatever reason you want to transfer TLS certificates in kubernetes to Qiniu CDN This app will upload provided TLS secrets

null 2 Oct 21, 2021
Package filippo.io/intermediates embeds a bundle of known unexpired, unrevoked intermediate certificates chaining to roots in the Mozilla Root Program

filippo.io/intermediates Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites t

Filippo Valsorda 45 Jan 22, 2022
Concurrent ssh client

go-cs Concurrent ssh client cs is a program for concurrently executing local or remote commands on multiple hosts. It is using OpenSSH for running rem

Andy Kosela 15 Feb 21, 2022
🌰 encrypt/decrypt using ssh keys

ssh-vault ?? encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

ssh-vault 351 Jun 24, 2022
Map ssh-ed25519 keys into x25519 keys

ssh-x22519 ========== The twisted Edwards curve used for ed25519 signatures is birationally equivalent to the Montgomery curve used for x25519: it is

Chris Webb 1 Oct 30, 2021
Uniform interface for interacting with network hardware via telnet/ssh

jgivc/console This package provides a uniform interface for interacting with network hardware via telnet/ssh This package uses part of reiver/go-telne

null 0 Dec 9, 2021
Eunomia is a distributed application framework that support Gossip protocol, QuorumNWR algorithm, PBFT algorithm, PoW algorithm, and ZAB protocol and so on.

Introduction Eunomia is a distributed application framework that facilitates developers to quickly develop distributed applications and supports distr

Cong 2 Sep 28, 2021
A Golang cryptocurrency trading API & Library. Support Binance, BitMEX, Deribit, Bybit, Huobi DM, OKEX Futures and more.

CREX 中文 | English CREX 是一个用Golang语言开发的量化交易库。支持tick级别数字币期货平台的回测和实盘。实盘与回测无缝切换,无需更改代码。 回测 示例 @backtest 交易结果 开源策略 https://github.com/coinrust/trading-stra

Paranoid 2 May 31, 2022
A fully validating Bitcoin node with Utreexo support

btcd btcd is an alternative full node bitcoin implementation written in Go (golang). This project is currently under active development and is in a Be

Utreexo 10 Mar 4, 2022
A mining pool proxy tool, support BTC, ETH, ETC, XMR mining pool, etc.

Tier2Pool A mining pool proxy tool, support BTC, ETH, ETC, XMR mining pool, etc. Build I use Ubuntu as a demo. sudo update sudo apt install git make s

Tier2Pool 6 May 19, 2022
null 11 Jun 23, 2022
Bucket-ssh. A fuzzy ssh manager for managing and categorizing ssh connections.

Bssh is an ssh bucket for categorizing and automating ssh connections. Also, with parallel command execution and connection checks(pings) over categories (namespaces).

Furkan Aksoy 14 May 23, 2022
Go driver for PostgreSQL over SSH. This driver can connect to postgres on a server via SSH using the local ssh-agent, password, or private-key.

pqssh Go driver for PostgreSQL over SSH. This driver can connect to postgres on a server via SSH using the local ssh-agent, password, or private-key.

mattn 47 Mar 3, 2022
Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Məhəmməd 3 Jun 9, 2022
CFSSL: Cloudflare's PKI and TLS toolkit

CFSSL CloudFlare's PKI/TLS toolkit CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing,

Cloudflare 7.1k Jun 25, 2022
Simple PKI for developers.

SimpleCA Have you ever been working with a technology and needed TLS certificates quickly? Perhaps you wanted to set up a PKI infrastructure for testi

Eamon Bauman 5 Mar 31, 2022
Ephemeral One Time/Build-Time gRPC TLS PKI system.

PkiSauce Ephemeral Build Time TLS PKI saucing for your intra services GRPC (or not) communications. Description A simple attempt to avoid deploying co

Ermites.IO 5 Jun 17, 2022
The PKI for WirePact in Kubernetes.

Kubernetes PKI for WirePact This is the PKI for WirePact in Kubernetes. It is ran as a deployment with an according service from the Operator and prov

null 1 Apr 30, 2022
Drone eReg: Demo client application for the PKI server's built-in UAV registry

UAV e-Registration: Demo UAV Registry Client A client to register UAVs in the built-in demo UAV registry of the UAVreg-PKI-server. Installation and Us

consider it GmbH 0 Jan 5, 2022
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀

Golang SSH Client. Fast and easy golang ssh client module. Goph is a lightweight Go SSH client focusing on simplicity! Installation ❘ Features ❘ Usage

Mohamed El Bahja 1.1k Jun 26, 2022
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 10 Jun 11, 2022
This is a SSH CA that allows you to retrieve a signed SSH certificate by authenticating to Duo.

github-duo-ssh-ca Authenticate to GitHub Enterprise in a secure way by requiring users to go through a Duo flow to get a short-lived SSH certificate t

Niels Hofmans 8 Jan 7, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 0 Nov 5, 2021
Ssh-lxd - A proof of concept for an ssh server that spawns a bash session inside a LXD container

SSH LXD A proof of concept for an ssh server that spawns a bash session inside a

Henning Dahlheim 2 Jan 14, 2022