Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard
verified publisher icon PowerShell

Support for signed certificates?

Open greg-dfo opened this issue 6 years ago • 3 comments

"OpenSSH for Windows" version OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

Client OperatingSystem Windows 10 Enterprise

Does OpenSSH for Windows support signed certs?

I feel like it does, as ssh-keygen picks up the certificate no problem. However, it doesn't want to connect. The same steps seem to work fine from linux.

 Directory of C:\hi
11/04/2019  01:18 PM             2,013 GregDFO-cert.pub
04/16/2019  09:07 AM             1,854 GregDFO-private.key
04/16/2019  09:31 AM               389 GregDFO-public.key

C:\hi>ssh-keygen -Lf GregDFO-cert.pub
GregDFO-cert.pub:
        Type: [email protected] user certificate
        Public key: RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ
        Signing CA: RSA SHA256:3axo+wPqiszHOTKy94Tk2gj4S6Rb6uGWKcB4s059bvg (using ssh-rsa)
        Key ID: "root"
        Serial: 17890926214909873034
        Valid: from 2019-11-01T08:52:18 to 2019-11-13T19:52:48
        Principals:
                cormierg
        Critical Options: (none)
        Extensions:
                permit-pty

However, when trying to use it, ssh spits out invalid format

C:\hi>ssh -i GregDFO-private.key -i GregDFO-cert.pub [email protected]

     Unauthorized Access Prohibited / Acces non-autorise interdit


Enter passphrase for key 'GregDFO-private.key': *****
Load key "GregDFO-cert.pub": invalid format

A few extra verbose tidbits

Enter passphrase for key 'GregDFO-private.key':
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: GregDFO-cert.pub RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ explicit
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: GregDFO-cert.pub RSA-CERT SHA256:Ccox9NCf/HBjzFxRE76XsnTT9k0vbmRB4/j5qX95WkQ explicit
debug1: sign_and_send_pubkey: no separate private key for certificate "GregDFO-cert.pub"
Load key "GregDFO-cert.pub": invalid format
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive

greg-dfo avatar Nov 04 '19 19:11 greg-dfo

Did you add a TrustedUserCAKeys line sshd_config?

TrustedUserCAKeys __PROGRAMDATA__/ssh/trusted_ssh_ca_keys

It definitely works for me (OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2)

ambakshi avatar May 08 '22 16:05 ambakshi

Oh nm, you meant using the windows client to connect to a server that otherwise works. I think there is a hint in this: debug1: sign_and_send_pubkey: no separate private key for certificate "GregDFO-cert.pub" Load key "GregDFO-cert.pub": invalid format

Try naming the files so the pub and cert get picked up as defaults (using GregDFO, GregDFO.pub and keeping GregDFO-cert.pub), then pass -i GregDFO, it should pick up the rest.

ambakshi avatar May 08 '22 16:05 ambakshi

Did you add a TrustedUserCAKeys line sshd_config?

TrustedUserCAKeys __PROGRAMDATA__/ssh/trusted_ssh_ca_keys

It definitely works for me (OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2)

Could you share the setup you have which is working?

I'm trying to set this up myself, and my windows sshd is complaining :

sshd: userauth_pubkey: unsupported public key algorithm: [email protected] [preauth]

Are the certs you're using signed with a different algorithm?

godeater avatar Sep 16 '22 01:09 godeater