1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Question about certificate based authentication

    From Colin McAllister@21:1/5 to All on Wed Nov 2 07:25:39 2022
    Hello,

    I've been trying to understand how to use the new certificate-based authentication mechanism released in PuTTY 0.78. I'm familiar with the traditional workflow for OpenSSH certificate-based authentication, but following that procedure does not appear to
    work with PuTTY.

    In PuTTY, I have tried using a PPK file and an OpenSSH signed certificate associated with the private key (I originally generated a OpenSSH private key and imported it with PuTTYgen and created a PPK private key as well), but that does not appear to work.
    I get an error that PuTTY is 'Unable to use certificate file "..." (not a public key or a PuTTY SSH-2 private key)'.

    I read the release docs and it seems like I need a PuTTY PPK key with a certificate attached, do I use PuTTYgen to create that?

    I have tried using the "Add certificate to key" option in PuTTYgen, but I can't seem to pass a certificate file that the application accepts. I have tried both passing a OpenSSH certificate or passing a key file to sign the certificate.

    I'm also a little curious how this new feature will integrate with existing certificate signing servers like Smallstep's and HashiCorp's Vault SSH security engine. I would assume if the OpenSSH-formatted certificate cannot be used, the certificate
    signing servers would require changes to support the PuTTY certificate workflow.

    Any help detailing the workflow to use the new feature would be greatly appreciated!

    Thanks,
    Colin

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin McAllister@21:1/5 to Colin McAllister on Wed Nov 2 07:56:00 2022
    On Wednesday, November 2, 2022 at 9:25:40 AM UTC-5, Colin McAllister wrote:
    Hello,

    I've been trying to understand how to use the new certificate-based authentication mechanism released in PuTTY 0.78. I'm familiar with the traditional workflow for OpenSSH certificate-based authentication, but following that procedure does not appear
    to work with PuTTY.

    To follow up, this does work. I figured out what the issue is.

    Also, I found good documentation here if anyone else finds this and also needs help.

    https://the.earth.li/~sgtatham/putty/0.78/htmldoc/Chapter4.html#config-ssh-cert

    In PuTTY, I have tried using a PPK file and an OpenSSH signed certificate associated with the private key (I originally generated a OpenSSH private key and imported it with PuTTYgen and created a PPK private key as well), but that does not appear to
    work. I get an error that PuTTY is 'Unable to use certificate file "..." (not a public key or a PuTTY SSH-2 private key)'.

    The certificate is not valid because there are custom fields in the critical options of the certificate.

    I read the release docs and it seems like I need a PuTTY PPK key with a certificate attached, do I use PuTTYgen to create that?

    I have tried using the "Add certificate to key" option in PuTTYgen, but I can't seem to pass a certificate file that the application accepts. I have tried both passing a OpenSSH certificate or passing a key file to sign the certificate.

    Yes, this works if I use a certificate without the custom fields in the critical options.

    I'm also a little curious how this new feature will integrate with existing certificate signing servers like Smallstep's and HashiCorp's Vault SSH security engine. I would assume if the OpenSSH-formatted certificate cannot be used, the certificate
    signing servers would require changes to support the PuTTY certificate workflow.

    This should work fine with the current authentication flow, however I know HashiCorp Vault works with custom

    Any help detailing the workflow to use the new feature would be greatly appreciated!

    I think I have my original questions answered, however, I'm curious about if and when custom fields in the certificate's critical options will be supported. This will be a breaking issue for anyone that chooses to do such.

    I can create a separate thread to detail this issue if desired, or this thread can be also be used.

    I appreciate any help in advance

    Colin


    Thanks,
    Colin

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Tatham@21:1/5 to [email protected] on Wed Nov 2 18:59:54 2022
    Colin McAllister <[email protected]> wrote:
    I have tried using the "Add certificate to key" option in PuTTYgen,
    but I can't seem to pass a certificate file that the application
    accepts. I have tried both passing a OpenSSH certificate or passing a
    key file to sign the certificate.

    Yes, this works if I use a certificate without the custom fields in the critical options.

    Hmmm. That _shouldn't_ happen. As far as I can see, PuTTY's
    certificate code only examines the critical options if it's about to
    validate the certificate during host key checking. And that's as it
    should be, of course, because a critical option understood by both
    your CA and your SSH server should be passed through unmodified by
    PuTTY whether it understands the option or not.

    And in my test just now, this worked as I expect. If I use ssh-keygen
    to sign a public key with a custom critical option:

    ssh-keygen -I foo -s test-ca-key -O critical:stoat=weasel -U test-user-key.pub

    and then use PuTTYgen to try to incorporate the resulting certificate
    file into the PPK private key, everything works as I expect, and I get
    a combined PPK file saved out.

    Can you share an example of a key and certificate that you're having
    trouble combining? (If you can do that without the combination
    actually being a security risk to expose, of course!)

    --
    import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and s%q!=0 and m)(12342649995480866419, 2278082317364501, 1670428356600652640, 5398151833726432125, 645223105888478, 1916678356240619, "<[email protected]>"))

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)