SSH Certificate Authentication
PrivX supports the following standards for SSH certificate-based authentication to target hosts:
- OpenSSH certificate authentication
- RFC 6187 X.509 certificate user authentication
- Tectia Server X.509 certificate user authentication
OpenSSH Certificate Authentication
You can enable OpenSSH certificate-based authentication on a target host with one of the following methods:
Run the PrivX host-deployment script on the target host Script-Based Certificate-Authentication Setup
Manually set up OpenSSH server and allowed principals on the target host Manual Certificate-Authentication Setup
To use OpenSSH certificate-based authentication for SSH connections, hosts serving as connection endpoints (target hosts) must use an SSH server that supports OpenSSH certificates. The exact required version depends on the chosen authentication method. For additional information about the supported authentication methods, see Supported Authentication Methods
Determine the PrivX roles that can access the host, and the target users as whom they are granted login.
X.509 Certificate Authentication
You can enable X.509 certificate-based authentication against compatible target hosts by configuring the target server to accept certificates issued by PrivX CA and configuring the host on PrivX with a suitable x509v3 certificate template.
For additional information about the target server certificate validation requirements, see SSH X.509 Certificate Authentication.
SSH Certificate Templates
When adding an SSH service to a host, under Additional settings, you can select a certificate template to be used with the connection.
The certificate templates themselves can be configured under Administration / Settings / Authorizer / Certificate templates.
The certificate template is a json document with the following properties:
- name: Unique name displayed in the UI (required)
- description: Human readable description (optional)
- service: service this certificate template applies to, currently only "SSH" is supported (required)
- type: type of certificate, "openssh", "default-openssh-sha2", "default-openssh-sha1", "ssh-x509v3-rfc6187" or "ssh-x509v3-tectia" (optional, default "openssh")
- rsa_signature_types: Array of SSH signature types used with RSA keys (optional)
- key_id: OpenSSH certificate KeyID field content (optional, specific to type "openssh")
- principals: Array of OpenSSH certificate principals (optional, specific to type "openssh")
- extensions: Array of OpenSSH certificate extensions (optional, specific to type "openssh")
The certificate templates support the following replacement attributes:
The following RSA signature types are supported:
The default certificate template configuration which is delivered with PrivX:
[
{
"name": "default",
"description": "Default Template",
"key_id": "%P@%R serial %S",
"extensions": []
},
{
"name": "default-openssh-sha2",
"description": "OpenSSH SHA-2",
"type": "openssh",
"key_id": "%P@%R serial %S",
"service": "SSH",
"extensions": [],
"rsa_signature_types": [ "rsa-sha2-512" ]
},
{
"name": "default-openssh-sha1",
"description": "OpenSSH SHA-1",
"type": "openssh",
"key_id": "%P@%R serial %S",
"service": "SSH",
"extensions": [],
"rsa_signature_types": [ "ssh-rsa" ]
},
{
"name": "default-x509v3-rfc6187",
"description": "x509v3 RFC6187",
"type": "ssh-x509v3-rfc6187",
},
{
"name": "default-x509v3-tectia",
"description": "x509v3 Tectia Server",
"type": "ssh-x509v3-tectia",
},
{
"name": "GitHub Enterprise",
"description": "GitHub Enterprise",
"key_id": "%W@%H",
"principals": [],
"extensions": [
"login@%H=%W"
]
},
{
"name": "GitLab",
"description": "GitLab",
"key_id": "%W",
"principals": [
"PrivXUsers"
],
"extensions": []
}
]Was this page helpful?