Login/Register
Why ssh-agent doesn't forward my SSH certificate?
Asked Answered
sshcertificatessh-agent
P

1

5

This thread is a response to the titled question : Why ssh-agent doesn't forward my SSH certificate ? Actually I couldn't find any information during my search. I had to read the C code of ssh-add to resolve my issue..

Problem

I got a valid SSH Certificate :

$ ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub 
/home/user/.ssh/id_rsa-cert.pub:
    Type: [email protected] user certificate
    Public key: RSA-CERT SHA256:YgFzKPkUdZHLLi8bEKUs5/hLumNoMNG+oDJ+KD6mS3s
    Signing CA: RSA SHA256:w+Cjpu/QQUunuojs9Af82ENdBUreCDXo+APao9X4dHw
    Key ID: "user_key"
    Serial: 0
    Valid: from 2017-12-06T10:53:00 to 2017-12-07T10:54:57
    Principals: 
            user
            admin
    Critical Options: (none)
    Extensions: 
            permit-X11-forwarding
            permit-agent-forwarding
            permit-port-forwarding
            permit-pty
            permit-user-rc

This is my ssh-agent list of keys :

$ ssh-add -l
4096 SHA256:YgFzKPkUdAGBPi8bEKUs5/hLumNoAds+oDJ+KD6mS3s user_key (RSA)

When I SSH on a remote server, it works. I have no ~/.ssh/authorized_keys and my key is probably well forwarded because I got the same previous result.

Now I would like to SSH to another server from the first one (with ForwardAgent yes):

$ ssh srv1
srv1:~$ ssh srv2 -vvv
...
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: user_key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
...
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
srv1:~$

What did I do wrong ?

Palette answered 6/12, 2017 at 17:3 Comment(1)
You should post the answer part as a answer to this question (and remove it from the question itself)Clotilde
P
9

In fact, ssh-agent didn't took well my SSH Certificate. We can see that it is an RSA and not a RSA-CERT. How import a certificate in ssh-agent ?

You must have 2 couple keys (location and naming is important) :

  • Original RSA couple :
    • Private Key : ~/.ssh/example_key
    • Public Key : ~/.ssh/example_key .pub
  • RSA Certificate :
    • Private Key/Certificate : ~/.ssh/example_key -cert
    • Public Certificate : ~/.ssh/example_key -cert.pub

Then import the original couple :

$ ssh-add ~/.ssh/example_key
Enter passphrase for /home/user/.ssh/example_key: 
Identity added: /home/user/.ssh/example_key (/home/user/.ssh/example_key)
Certificate added: /home/user/.ssh/example_key-cert.pub (user)

Automatically, the certificate is added.

Then, the SSH agent forwards it without a problem. Meanwhile, it is impossible to delete from the agent the original RSA Key couple without removing the SSH certificate.

$ ssh-add -l
4096 SHA256:YgFzKPkUdAGBPi8bEKUs5/hLumNoAds+oDJ+KD6mS3s user_key (RSA)
4096 SHA256:YgFzKPkUdAGBPi8bEKUs5/hLumNoAds+oDJ+KD6mS3s user_key (RSA-CERT)
$ ssh srv1
srv1:~$ ssh srv2
srv2:~$

Recap : Why was wrong and why ?

  • Bad naming of my keys. My RSA couple was something like ~/.ssh/id_rsa_github and my SSH certificate was ~/.ssh/id_rsa-cert.
  • Agent import badly my certificate and consider it as a Identity and not a Certificate.
  • During the first SSH connection, the agent provides the certificate as a Identity but it could negotiate with the remote openssh server (I don't really know why). During the second SSH connection, it couldn't...

Be also careful to this :

  • Add permit-agent-forwarding in certificate extensions
  • Put ForwardAgent yes in your SSH client configuration

Finally, to sign certificates I use CASSH.

Palette answered 6/12, 2017 at 22:28 Comment(1)
Thanks! This worked. One suggestion I have is to clarify the naming convention for the cert. It works only if you add -cert.pub at the end of the cert file. You put it out there with space but not mentioned clearly.Zomba

© 2022 - 2024 — McMap. All rights reserved.