Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries?
mark.christian at intel
Jun 22, 2021, 12:03 PM
Post #1 of 3 (272 views)
Permalink
Wondering how I might be able to configure my ssh client or server so
that any one of my ssh certificates may be used for authentication? Are
there better ways to check for more than a couple certificates than by
increasing sshd_config MaxAuthTries? I was thinking ssh -
oCertificateFile could be used but I'm struggling to figure out how
since my ssh-agent is the only place where the certs and private keys
are located.

Each certificate may have a different principal, policy or validity,
hence the multiple certificates.

The contents of my ssh-agent:
256 SHA256:Ft0/6CxRrwaPM/3bB0AQd/Vgw5mhT6ptq7Plj/cOYXI user@host
(ED25519)
256 SHA256:Ft0/6CxRrwaPM/3bB0AQd/Vgw5mhT6ptq7Plj/cOYXI user@host
(ED25519-CERT)
256 SHA256:Fn/259tp65oYC7LFz0RIpvl23S0GGqJbLvOYlj0Z26U user@host
(ED25519)
256 SHA256:Fn/259tp65oYC7LFz0RIpvl23S0GGqJbLvOYlj0Z26U user@host
(ED25519-CERT)
256 SHA256:thXXEAOnp8Xj+qtl+gDveYXjvy5MEkE9Vm5jos3qusM user@host
(ED25519)
256 SHA256:thXXEAOnp8Xj+qtl+gDveYXjvy5MEkE9Vm5jos3qusM user@host
(ED25519-CERT)
256 SHA256:e8Fag5D2xPFzYbqVBuctLxJ9mB2IkYO137kNo42WAs8 user@host
(ED25519)
256 SHA256:e8Fag5D2xPFzYbqVBuctLxJ9mB2IkYO137kNo42WAs8 user@host
(ED25519-CERT)
256 SHA256:uQQXF0hk67bGu3FVhnhxTxE+A1fGogiVt9rawTfQ+G4 user@host
(ED25519)
256 SHA256:uQQXF0hk67bGu3FVhnhxTxE+A1fGogiVt9rawTfQ+G4 user@host
(ED25519-CERT)

Any ideas?

Thank you, and thank you for your valuable work.
Mark Christian
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries? [ In reply to ]
michael at stroeder
Jun 22, 2021, 12:40 PM
Post #2 of 3 (272 views)
Permalink
On 6/22/21 9:03 PM, Christian, Mark wrote:
> Wondering how I might be able to configure my ssh client or server so
> that any one of my ssh certificates may be used for authentication? Are
> there better ways to check for more than a couple certificates than by
> increasing sshd_config MaxAuthTries?

Maybe others correct me.

But this problem is exactly the reason why my SSH-CA client uses ssh-add
-D before loading a new cert to the key agent.

If those are really different certs issued for different principal names
you might want to work with multiple ssh-agent processes.

Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries? [ In reply to ]
djm at mindrot
Jun 22, 2021, 5:57 PM
Post #3 of 3 (272 views)
Permalink
On Tue, 22 Jun 2021, Christian, Mark wrote:

> Wondering how I might be able to configure my ssh client or server so
> that any one of my ssh certificates may be used for authentication? Are
> there better ways to check for more than a couple certificates than by
> increasing sshd_config MaxAuthTries? I was thinking ssh -
> oCertificateFile could be used but I'm struggling to figure out how
> since my ssh-agent is the only place where the certs and private keys
> are located.
>
> Each certificate may have a different principal, policy or validity,
> hence the multiple certificates.

You should be able to use CertificateFile+IdentitiesOnly to control
which agent-hosted certificates are offered. See
sshconnect2.c:pubkey_prepare() for the gory details.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal