ssh auth using signed certificate

Question

ssh auth using signed certificate

Closed this issue a year ago · 3 comments

I've been trying to use signed certificates to do ssh auth via PublicKeyCallback & CreatePrivateKeyAuth. So far I've been unable to convert the signed cert into the byte slice param provided to CreatePrivateKeyAuth. Maybe this is not the correct auth provider for certificates. I also see CreateRemoteSignerAuth, but I can't envision what input would be in the meta string param. Which SshPiperPluginConfig callback & auth provider should be used with signed certificates? I haven't been able to find an example using certs for auth.

Answer 1 · 2023-08-23T20:52:51.000Z

check out
https://github.com/tg123/sshpiper/blob/3d46ae3ee154732fcd0ca01f7f0a963c2052a8a8/e2e/main_test.go#L23C1-L23C1
you can pass []byte of an ssh private key

the remote signer code is still in v0 branch
https://github.com/tg123/sshpiper/blob/v0/sshpiperd/upstream/grpcupstream/simpleserver/main.go

Answer 2 · 2023-08-23T21:45:19.000Z

Thank you for your response. I don't think it is quite what I'm looking for. I don't see an ssh.Certificate being used in the provided links. I want the benefit of being able to use a signed certificate so that access expires.

I have working code using sshpiper with an RSA public & private keypair. I also have working code using crypto/ssh package to make the connection using a signed certificate without sshpiper.

This question from stackoverflow shows how to use a signed certificate for auth. I'd like to do this in combination with sshpiper.

The relevant code from stackoverflow answer follows. The ssh.PublicKeys(certSigner), part shows using the certificate for auth, but I can't plug that directly into sshpiper because it's not using the same interfaces.

package main

import (
    "bytes"
    "io/ioutil"
    "log"

    "golang.org/x/crypto/ssh"
)

func main() {
    key, err := ioutil.ReadFile("/tmp/mycert")
    if err != nil {
        log.Fatalf("unable to read private key: %v", err)
    }

    // Create the Signer for this private key.
    signer, err := ssh.ParsePrivateKey(key)
    if err != nil {
        log.Fatalf("unable to parse private key: %v", err)
    }

    // Load the certificate
    cert, err := ioutil.ReadFile("/tmp/mycert-cert.pub")
    if err != nil {
        log.Fatalf("unable to read certificate file: %v", err)
    }

    pk, _, _, _, err := ssh.ParseAuthorizedKey(cert)
    if err != nil {
        log.Fatalf("unable to parse public key: %v", err)
    }

    certSigner, err := ssh.NewCertSigner(pk.(*ssh.Certificate), signer)
    if err != nil {
        log.Fatalf("failed to create cert signer: %v", err)
    }

    config := &ssh.ClientConfig{
        User: "user",
        Auth: []ssh.AuthMethod{
            // Use the PublicKeys method for remote authentication.
            ssh.PublicKeys(certSigner),
        },
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }

    // Connect to the remote server and perform the SSH handshake.
    client, err := ssh.Dial("tcp", "host.com:22", config)
    if err != nil {
        log.Fatalf("unable to connect: %v", err)
    }
    defer client.Close()
}

Answer 3 · 2023-08-23T23:11:38.000Z

seems you are talking about dropin replacement for ssh https://github.com/tg123/sshpiper.crypto/tree/v1

if you want to build your own sshpiperd like server, you can check code here
https://github.com/tg123/sshpiper/blob/d031771950072a8d79f4719d781ee7f489501326/cmd/sshpiperd/daemon.go#L164C7-L164C7

here is also a live example for how to use sshpiper.crypto
https://github.com/tg123/azbastion/blob/0f7797f99e744d369d4949d84ab5b0e6508c41a6/cmd/bastion-tunnel/ssh.go#L105C18-L105C18