SSH X.509 Certificate Authentication
PrivX supports the following standards for SSH X.509 certificate user authentication:
- RFC 6187 X.509v3 Certificates for Secure Shell Authentication
- Tectia Server X.509v3 Certificate Authentication
RFC 6187 X.509v3 Certificates for Secure Shell Authentication
RFC 6187 specifies X.509v3 certificates are sent in the public key blob in SSH userauth as:
- chain of certificates in DER format
- array of OCSP responses
PrivX sends the user certificate and PrivX CA certificate in the certificate chain, and an OCSP response for the user cert.
The user certificate has the following values:
- Issuer: PrivX CA
- Subject: Common name is set to PrivX user's username
- Validity period: Configurable, default 5 min
- Subject Alternative Name: Target username in User Principal Name (UPN) format
- Extended Key Usage:
id-kp-secureShellClient
(oid1.3.6.1.5.5.7.3.21
) - CRL Distribution Points: List of URL's to PrivX server's CRL endpoints
- AIA Issuing Certificate URL: List of URL's to PrivX server's CA endpoints
PrivX supports the following RFC 6187 public key and signature types:
X.509v3 certificate with RSA private key:
x509v3-ssh-rsa
, signature type:ssh-rsa
x509v3-rsa2048-sha256
, signature type:rsa2048-sha256
X.509v3 certificate with ECDSA private key:
x509v3-ecdsa-sha2-nistp256
, signature type:ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
, signature type:ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
, signature type:ecdsa-sha2-nistp521
Tectia Server X.509v3 Certificate Authentication
With Tectia SSH server the user certificate is sent in DER format in the public key blob.
The user certificate has the same content as the RFC 6187 user certificate with the exception:
- Extended Key Usage:
id-kp-ssh-client
(oid1.3.6.1.4.1.2213.15.1.2
)
PrivX supports the following Tectia Server SSH public key types:
X.509v3 certificate with RSA private key:
x509v3-sign-rsa-sha512@ssh.com
x509v3-sign-rsa-sha256@ssh.com
x509v3-sign-rsa
X.509v3 certificate with ECDSA private key:
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
Configuring Target SSH Servers
Follow these steps to configure your SSH target server to support X.509 certificate user authentication:
Download the PrivX access group's CA certificate in DER format, and copy it to target host.
Configure the SSH server on target host to verify:
Certificate is issued by the PrivX CA
Certificate's validity period has started and has not yet ended
Certificate contains the SSH username in the subject alternative name extension. PrivX encodes the target username in User Principal Name (UPN) format.
Certificate contains the Extended Key Usage
id-kp-secureShellClient
orid-kp-ssh-client
if target is a Tectia Server.SSH server should be configured to not perform certificate revocation checks. If this is not possible then target SSH server must be able to fetch the Certificate Revocation List (CRL) from one of PrivX server's http endpoints.
Configure the target host to synchronize system time for example with the Network Time Protocol (NTP).
In PrivX configure the SSH target host with an SSH service and select the "x509v3 RFC6187" certificate template under additional settings. If target is a Tectia SSH server, select "x509v3 Tectia Server" certificate template. Configure the accounts and corresponding roles that are allowed to access the host.
Tectia Server Sample Configuration
Certificate validation configuration:
<cert-validation max-path-length="2">
<ca-certificate name="privx-ca"
file="/etc/ssh2/privx-ca.crt"
disable-crls="yes" />
</cert-validation>
Authentication method configuration:
...
<auth-gssapi allow-missing="yes" />
<auth-publickey />
<auth-password />
<auth-keyboard-interactive />
<authentication action="allow">
<selector>
<certificate field="ca-list" pattern="privx-ca" />
<certificate field="altname-upn"
pattern="%username-without-domain%" />
<certificate field="extended-key-usage"
pattern="ssh-client" explicit="yes" />
</selector>
</authentication>
<authentication action="deny" />
</authentication>
</authentication-methods>
<services>
...
"Extended Key Usage" (EKU) is not supported in Tectia Server Configuration GUI on Windows, configure this option as follow.
- Open ssh-server-config.xml. The location is by fault at
<INSTALLDIR>\SSH Tectia Server\ssh-server-config.xml
- Locate the selector block where the certificate authentication is specified. (see above example xml codes)
- Insert the line
<certificate field="extended-key-usage" pattern="ssh-client" explicit="yes" />
- Save the file
- Open a command prompt windows with administrator right
- Run
ssh-server-ctl reload
Read "User Authentication with Certificates" in [Tectia SSH Server Administrator Manual] (https://www.ssh.com/manuals/) for more details.
PrivX also supports OpenSSH certificate authentication