SSH X.509 Certificate Authentication

PrivX supports the following standards for SSH X.509 certificate user authentication:

  • RFC 6187 X.509v3 Certificates for Secure Shell Authentication
  • Tectia Server X.509v3 Certificate Authentication

RFC 6187 X.509v3 Certificates for Secure Shell Authentication

RFC 6187 specifies X.509v3 certificates are sent in the public key blob in SSH userauth as:

  • chain of certificates in DER format
  • array of OCSP responses

PrivX sends the user certificate and PrivX CA certificate in the certificate chain, and an OCSP response for the user cert.

The user certificate has the following values:

  • Issuer: PrivX CA
  • Subject: Common name is set to PrivX user's username
  • Validity period: Configurable, default 5 min
  • Subject Alternative Name: Target username in User Principal Name (UPN) format
  • Extended Key Usage: id-kp-secureShellClient (oid 1.3.6.1.5.5.7.3.21)
  • CRL Distribution Points: List of URL's to PrivX server's CRL endpoints
  • AIA Issuing Certificate URL: List of URL's to PrivX server's CA endpoints

PrivX supports the following RFC 6187 public key and signature types:

X.509v3 certificate with RSA private key:

  • x509v3-ssh-rsa, signature type: ssh-rsa
  • x509v3-rsa2048-sha256, signature type: rsa2048-sha256

X.509v3 certificate with ECDSA private key:

  • x509v3-ecdsa-sha2-nistp256, signature type: ecdsa-sha2-nistp256
  • x509v3-ecdsa-sha2-nistp384, signature type: ecdsa-sha2-nistp384
  • x509v3-ecdsa-sha2-nistp521, signature type: ecdsa-sha2-nistp521

Tectia Server X.509v3 Certificate Authentication

With Tectia SSH server the user certificate is sent in DER format in the public key blob.

The user certificate has the same content as the RFC 6187 user certificate with the exception:

  • Extended Key Usage: id-kp-ssh-client (oid 1.3.6.1.4.1.2213.15.1.2)

PrivX supports the following Tectia Server SSH public key types:

X.509v3 certificate with RSA private key:

  • x509v3-sign-rsa-sha512@ssh.com
  • x509v3-sign-rsa-sha256@ssh.com
  • x509v3-sign-rsa

X.509v3 certificate with ECDSA private key:

  • x509v3-ecdsa-sha2-nistp256
  • x509v3-ecdsa-sha2-nistp384
  • x509v3-ecdsa-sha2-nistp521

Configuring Target SSH Servers

Follow these steps to configure your SSH target server to support X.509 certificate user authentication:

  1. Download the PrivX access group's CA certificate in DER format, and copy it to target host.

  2. Configure the SSH server on target host to verify:

    • Certificate is issued by the PrivX CA

    • Certificate's validity period has started and has not yet ended

    • Certificate contains the SSH username in the subject alternative name extension. PrivX encodes the target username in User Principal Name (UPN) format.

    • Certificate contains the Extended Key Usage id-kp-secureShellClient or id-kp-ssh-client if target is a Tectia Server.

      SSH server should be configured to not perform certificate revocation checks. If this is not possible then target SSH server must be able to fetch the Certificate Revocation List (CRL) from one of PrivX server's http endpoints.

  3. Configure the target host to synchronize system time for example with the Network Time Protocol (NTP).

  4. In PrivX configure the SSH target host with an SSH service and select the "x509v3 RFC6187" certificate template under additional settings. If target is a Tectia SSH server, select "x509v3 Tectia Server" certificate template. Configure the accounts and corresponding roles that are allowed to access the host.

Tectia Server Sample Configuration

Certificate validation configuration:

    <cert-validation max-path-length="2">
      <ca-certificate name="privx-ca"
        file="/etc/ssh2/privx-ca.crt"
        disable-crls="yes" />
    </cert-validation>

Authentication method configuration:

...
    <auth-gssapi allow-missing="yes" />
    <auth-publickey />
    <auth-password />
    <auth-keyboard-interactive />

    <authentication action="allow">
        <selector>
            <certificate field="ca-list" pattern="privx-ca" />
            <certificate field="altname-upn"
                pattern="%username-without-domain%" />
            <certificate field="extended-key-usage"
                pattern="ssh-client" explicit="yes" />
        </selector>
    </authentication>
    <authentication action="deny" />

    </authentication>
</authentication-methods>

<services>
...

"Extended Key Usage" (EKU) is not supported in Tectia Server Configuration GUI on Windows, configure this option as follow.

  1. Open ssh-server-config.xml. The location is by fault at <INSTALLDIR>\SSH Tectia Server\ssh-server-config.xml
  2. Locate the selector block where the certificate authentication is specified. (see above example xml codes)
  3. Insert the line
    <certificate field="extended-key-usage" pattern="ssh-client" explicit="yes" />
  4. Save the file
  5. Open a command prompt windows with administrator right
  6. Run ssh-server-ctl reload

Read "User Authentication with Certificates" in [Tectia SSH Server Administrator Manual] (https://www.ssh.com/manuals/) for more details.

PrivX also supports OpenSSH certificate authentication

Was this page helpful?

On this page