You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Connection from an SSH client with Signed User Key Certificates in SSH_AGENT are not correctly handled and Authenticantion of user Fails
PR #808 implements support for public keys and this works great to enable SSH CA signed certificates from and SSH client to an appropriately configure SSH server with a CA key installed and configured in sshd_config TrustedUserCAKeys.
This means that a Hasicorp Vault SSH CA signing process works well for SSH sessions using this SSH2 and SSH2_STREAMS (with PR mscdex/ssh2-streams#137) when keys are declared in privateKey and publicKey parameters to connect as per example in #808 .
However Authentication Fails in the scenario of the users keys and signed certificate being added to SSH_AGENT with ssh_add <key> . It appears the
function does not handle certificates appropriately, particularly the signed response from ssh_agent when a signed certificate public key is used
#808 has been waiting for approval for a long time. I have a work around for this SSH_AGENT issue that is dependent on #808. This workaround auphofBSF@74ec863 is not complete for all types of certificates, it does hopever incorporate #808 and does work correctly for my use case of Hashicorp Vault CA signed keys.
I have added 2 more todo's to the existing todo with my interpretations of what may still be missing. It is not worthy of being a PR yet but is an immediate fix.
I don't like submitting something not fully complete but I am a Newbie to this wonderful world of PublicKey SSH Certificates and SSH Security so would hope someone with suitable experience would more confidently and robustly fill in the general cases and be able to make it into a useful PR to complement #808.
The text was updated successfully, but these errors were encountered:
Connection from an SSH client with Signed User Key Certificates in SSH_AGENT are not correctly handled and Authenticantion of user Fails
PR #808 implements support for public keys and this works great to enable SSH CA signed certificates from and SSH client to an appropriately configure SSH server with a CA key installed and configured in sshd_config TrustedUserCAKeys.
This means that a Hasicorp Vault SSH CA signing process works well for SSH sessions using this SSH2 and SSH2_STREAMS (with PR mscdex/ssh2-streams#137) when keys are declared in privateKey and publicKey parameters to connect as per example in #808 .
However Authentication Fails in the scenario of the users keys and signed certificate being added to SSH_AGENT with
ssh_add <key>. It appears thessh2/lib/client.js
Line 520 in 632073f
#808 has been waiting for approval for a long time. I have a work around for this SSH_AGENT issue that is dependent on #808. This workaround auphofBSF@74ec863 is not complete for all types of certificates, it does hopever incorporate #808 and does work correctly for my use case of Hashicorp Vault CA signed keys.
I have added 2 more todo's to the existing todo with my interpretations of what may still be missing. It is not worthy of being a PR yet but is an immediate fix.
I don't like submitting something not fully complete but I am a Newbie to this wonderful world of PublicKey SSH Certificates and SSH Security so would hope someone with suitable experience would more confidently and robustly fill in the general cases and be able to make it into a useful PR to complement #808.
The text was updated successfully, but these errors were encountered: