SSH Certificate Authentication

PrivX supports the following standards for SSH certificate-based authentication to target hosts:

  • OpenSSH certificate authentication
  • RFC 6187 X.509 certificate user authentication
  • Tectia Server X.509 certificate user authentication

OpenSSH Certificate Authentication

You can enable OpenSSH certificate-based authentication on a target host with one of the following methods:

To use OpenSSH certificate-based authentication for SSH connections, hosts serving as connection endpoints (target hosts) must use an SSH server that supports OpenSSH certificates. The exact required version depends on the chosen authentication method. For additional information about the supported authentication methods, see Supported Authentication Methods

Authentication Method

Required SSH version

Certificate authentication with shared accounts

OpenSSH 5.6 or later

Certificate authentication with login-as-self (Directory account type)

OpenSSH 6.9 or later

Determine the PrivX roles that can access the host, and the target users as whom they are granted login.

X.509 Certificate Authentication

You can enable X.509 certificate-based authentication against compatible target hosts by configuring the target server to accept certificates issued by PrivX CA and configuring the host on PrivX with a suitable x509v3 certificate template.

For additional information about the target server certificate validation requirements, see SSH X.509 Certificate Authentication.

SSH Certificate Templates

When adding an SSH service to a host, under Additional settings, you can select a certificate template to be used with the connection.

The certificate templates themselves can be configured under Administration / Settings / Authorizer / Certificate templates.

The certificate template is a json document with the following properties:

  • name: Unique name displayed in the UI (required)
  • description: Human readable description (optional)
  • service: service this certificate template applies to, currently only "SSH" is supported (required)
  • type: type of certificate, "openssh", "ssh-x509v3-rfc6187" or "ssh-x509v3-tectia" (optional, default "openssh")
  • rsa_signature_types: Array of SSH signature types used with RSA keys (optional)
  • key_id: OpenSSH certificate KeyID field content (optional, specific to type "openssh")
  • principals: Array of OpenSSH certificate principals (optional, specific to type "openssh")
  • extensions: Array of OpenSSH certificate extensions (optional, specific to type "openssh")

The certificate templates support the following replacement attributes:

Attribute

Description

%H

Target hostname

%R

Request client address

%S

Serial Number

Mappable attribute

Description

%P

PrivX username

%I

principal

%W

windows_account

%U

unix_account

%F

full_name

%E

email

%T

telephone

%C

company

%D

department

%J

job_title

%O

comment

The following RSA signature types are supported:

Certificate Template Type

Supported Signature Types

Default Signature Types

openssh

rsa-sha2-512
rsa-sha2-256
ssh-rsa

rsa-sha2-512
ssh-rsa

ssh-x509v3-rfc6187

rsa2048-sha256
ssh-rsa

rsa2048-sha256
ssh-rsa

ssh-x509v3-tectia

[email protected]
[email protected]
x509v3-sign-rsa

[email protected]
x509v3-sign-rsa

The default certificate template configuration which is delivered with PrivX:

[
  {
    "name": "default",
    "description": "Default Template",
    "key_id": "%[email protected]%R serial %S",
    "extensions": []
  },
  {
    "name": "default-x509v3-rfc6187",
    "description": "x509v3 RFC6187",
    "type": "ssh-x509v3-rfc6187",
  },
  {
    "name": "default-x509v3-tectia",
    "description": "x509v3 Tectia Server",
    "type": "ssh-x509v3-tectia",
  },
  {
    "name": "GitHub Enterprise",
    "description": "GitHub Enterprise",
    "key_id": "%[email protected]%H",
    "principals": [],
    "extensions": [
      "[email protected]%H=%W"
    ]
  },
  {
    "name": "GitLab",
    "description": "GitLab",
    "key_id": "%W",
    "principals": [
      "PrivXUsers"
    ],
    "extensions": []
  }
]

Did this page help you?