Annotation of src/usr.bin/ssh/PROTOCOL.certkeys, Revision 1.16
1.1 djm 1: This document describes a simple public-key certificate authentication
2: system for use by SSH.
3:
4: Background
5: ----------
6:
7: The SSH protocol currently supports a simple public key authentication
1.8 djm 8: mechanism. Unlike other public key implementations, SSH eschews the use
9: of X.509 certificates and uses raw keys. This approach has some benefits
10: relating to simplicity of configuration and minimisation of attack
11: surface, but it does not support the important use-cases of centrally
12: managed, passwordless authentication and centrally certified host keys.
1.1 djm 13:
14: These protocol extensions build on the simple public key authentication
1.8 djm 15: system already in SSH to allow certificate-based authentication. The
16: certificates used are not traditional X.509 certificates, with numerous
17: options and complex encoding rules, but something rather more minimal: a
18: key, some identity information and usage options that have been signed
19: with some other trusted key.
1.1 djm 20:
21: A sshd server may be configured to allow authentication via certified
1.8 djm 22: keys, by extending the existing ~/.ssh/authorized_keys mechanism to
23: allow specification of certification authority keys in addition to
24: raw user keys. The ssh client will support automatic verification of
25: acceptance of certified host keys, by adding a similar ability to
26: specify CA keys in ~/.ssh/known_hosts.
27:
1.15 djm 28: All certificate types include certification information along with the
29: public key that is used to sign challenges. In OpenSSH, ssh-keygen
30: performs the CA signing operation.
31:
1.8 djm 32: Certified keys are represented using new key types:
33:
34: ssh-rsa-cert-v01@openssh.com
35: ssh-dss-cert-v01@openssh.com
36: ecdsa-sha2-nistp256-cert-v01@openssh.com
37: ecdsa-sha2-nistp384-cert-v01@openssh.com
38: ecdsa-sha2-nistp521-cert-v01@openssh.com
1.16 ! djm 39: ssh-ed25519-cert-v01@openssh.com
1.8 djm 40:
1.15 djm 41: Two additional types exist for RSA certificates to force use of
42: SHA-2 signatures (SHA-256 and SHA-512 respectively):
43:
44: rsa-sha2-256-cert-v01@openssh.com
45: rsa-sha2-512-cert-v01@openssh.com
46:
47: These RSA/SHA-2 types should not appear in keys at rest or transmitted
48: on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
49: field or in the "public key algorithm name" field of a "publickey"
50: SSH_USERAUTH_REQUEST to indicate that the signature will use the
51: specified algorithm.
1.1 djm 52:
53: Protocol extensions
54: -------------------
55:
56: The SSH wire protocol includes several extensibility mechanisms.
57: These modifications shall take advantage of namespaced public key
58: algorithm names to add support for certificate authentication without
59: breaking the protocol - implementations that do not support the
60: extensions will simply ignore them.
61:
62: Authentication using the new key formats described below proceeds
63: using the existing SSH "publickey" authentication method described
64: in RFC4252 section 7.
65:
66: New public key formats
67: ----------------------
68:
1.8 djm 69: The certificate key types take a similar high-level format (note: data
70: types and encoding are as per RFC4251 section 5). The serialised wire
71: encoding of these certificates is also used for storing them on disk.
1.1 djm 72:
73: #define SSH_CERT_TYPE_USER 1
74: #define SSH_CERT_TYPE_HOST 2
75:
76: RSA certificate
77:
1.4 djm 78: string "ssh-rsa-cert-v01@openssh.com"
79: string nonce
1.1 djm 80: mpint e
81: mpint n
1.4 djm 82: uint64 serial
1.1 djm 83: uint32 type
84: string key id
85: string valid principals
86: uint64 valid after
87: uint64 valid before
1.4 djm 88: string critical options
89: string extensions
1.1 djm 90: string reserved
91: string signature key
92: string signature
93:
94: DSA certificate
95:
1.4 djm 96: string "ssh-dss-cert-v01@openssh.com"
97: string nonce
1.1 djm 98: mpint p
99: mpint q
100: mpint g
101: mpint y
1.4 djm 102: uint64 serial
1.1 djm 103: uint32 type
104: string key id
105: string valid principals
106: uint64 valid after
107: uint64 valid before
1.4 djm 108: string critical options
109: string extensions
1.1 djm 110: string reserved
111: string signature key
112: string signature
113:
1.8 djm 114: ECDSA certificate
115:
1.13 djm 116: string "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
117: "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
118: "ecdsa-sha2-nistp521-cert-v01@openssh.com"
1.8 djm 119: string nonce
120: string curve
121: string public_key
122: uint64 serial
123: uint32 type
124: string key id
125: string valid principals
126: uint64 valid after
127: uint64 valid before
128: string critical options
129: string extensions
130: string reserved
131: string signature key
132: string signature
133:
1.10 djm 134: ED25519 certificate
135:
136: string "ssh-ed25519-cert-v01@openssh.com"
137: string nonce
138: string pk
139: uint64 serial
140: uint32 type
141: string key id
142: string valid principals
143: uint64 valid after
144: uint64 valid before
145: string critical options
146: string extensions
147: string reserved
148: string signature key
149: string signature
150:
1.4 djm 151: The nonce field is a CA-provided random bitstring of arbitrary length
152: (but typically 16 or 32 bytes) included to make attacks that depend on
153: inducing collisions in the signature hash infeasible.
154:
1.1 djm 155: e and n are the RSA exponent and public modulus respectively.
156:
157: p, q, g, y are the DSA parameters as described in FIPS-186-2.
158:
1.8 djm 159: curve and public key are respectively the ECDSA "[identifier]" and "Q"
160: defined in section 3.1 of RFC5656.
161:
1.10 djm 162: pk is the encoded Ed25519 public key as defined by
163: draft-josefsson-eddsa-ed25519-03.
164:
1.4 djm 165: serial is an optional certificate serial number set by the CA to
166: provide an abbreviated way to refer to certificates from that CA.
1.5 djm 167: If a CA does not wish to number its certificates it must set this
1.4 djm 168: field to zero.
169:
1.1 djm 170: type specifies whether this certificate is for identification of a user
171: or a host using a SSH_CERT_TYPE_... value.
172:
173: key id is a free-form text field that is filled in by the CA at the time
174: of signing; the intention is that the contents of this field are used to
175: identify the identity principal in log messages.
176:
177: "valid principals" is a string containing zero or more principals as
178: strings packed inside it. These principals list the names for which this
179: certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
180: usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
181: zero-length "valid principals" field means the certificate is valid for
1.10 djm 182: any principal of the specified type.
1.1 djm 183:
184: "valid after" and "valid before" specify a validity period for the
185: certificate. Each represents a time in seconds since 1970-01-01
186: 00:00:00. A certificate is considered valid if:
1.8 djm 187:
188: valid after <= current time < valid before
1.1 djm 189:
1.14 djm 190: critical options is a set of zero or more key options encoded as
1.4 djm 191: below. All such options are "critical" in the sense that an implementation
192: must refuse to authorise a key that has an unrecognised option.
193:
194: extensions is a set of zero or more optional extensions. These extensions
195: are not critical, and an implementation that encounters one that it does
1.6 djm 196: not recognise may safely ignore it.
1.1 djm 197:
1.9 djm 198: Generally, critical options are used to control features that restrict
199: access where extensions are used to enable features that grant access.
200: This ensures that certificates containing unknown restrictions do not
201: inadvertently grant access while allowing new protocol features to be
202: enabled via extensions without breaking certificates' backwards
203: compatibility.
204:
1.4 djm 205: The reserved field is currently unused and is ignored in this version of
1.1 djm 206: the protocol.
207:
1.11 djm 208: The signature key field contains the CA key used to sign the
209: certificate. The valid key types for CA keys are ssh-rsa,
210: ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256,
211: ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where
212: the signature key type is a certificate type itself are NOT supported.
213: Note that it is possible for a RSA certificate key to be signed by a
214: Ed25519 or ECDSA CA key and vice-versa.
1.1 djm 215:
216: signature is computed over all preceding fields from the initial string
217: up to, and including the signature key. Signatures are computed and
218: encoded according to the rules defined for the CA's public key algorithm
1.8 djm 219: (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
1.10 djm 220: types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
1.1 djm 221:
1.4 djm 222: Critical options
223: ----------------
1.1 djm 224:
1.4 djm 225: The critical options section of the certificate specifies zero or more
226: options on the certificates validity. The format of this field
1.1 djm 227: is a sequence of zero or more tuples:
228:
229: string name
230: string data
231:
1.7 djm 232: Options must be lexically ordered by "name" if they appear in the
1.9 djm 233: sequence. Each named option may only appear once in a certificate.
1.7 djm 234:
1.4 djm 235: The name field identifies the option and the data field encodes
236: option-specific information (see below). All options are
237: "critical", if an implementation does not recognise a option
1.1 djm 238: then the validating party should refuse to accept the certificate.
239:
1.12 djm 240: Custom options should append the originating author or organisation's
241: domain name to the option name, e.g. "my-option@example.com".
242:
1.10 djm 243: No critical options are defined for host certificates at present. The
244: supported user certificate options and the contents and structure of
245: their data fields are:
1.1 djm 246:
247: Name Format Description
248: -----------------------------------------------------------------------------
249: force-command string Specifies a command that is executed
250: (replacing any the user specified on the
251: ssh command-line) whenever this key is
252: used for authentication.
253:
1.6 djm 254: source-address string Comma-separated list of source addresses
255: from which this certificate is accepted
256: for authentication. Addresses are
257: specified in CIDR format (nn.nn.nn.nn/nn
258: or hhhh::hhhh/nn).
259: If this option is not present then
260: certificates may be presented from any
261: source address.
262:
263: Extensions
264: ----------
265:
266: The extensions section of the certificate specifies zero or more
1.7 djm 267: non-critical certificate extensions. The encoding and ordering of
1.9 djm 268: extensions in this field is identical to that of the critical options,
269: as is the requirement that each name appear only once.
270:
1.7 djm 271: If an implementation does not recognise an extension, then it should
272: ignore it.
1.6 djm 273:
1.12 djm 274: Custom options should append the originating author or organisation's
275: domain name to the option name, e.g. "my-option@example.com".
276:
1.10 djm 277: No extensions are defined for host certificates at present. The
278: supported user certificate extensions and the contents and structure of
279: their data fields are:
1.6 djm 280:
281: Name Format Description
282: -----------------------------------------------------------------------------
1.1 djm 283: permit-X11-forwarding empty Flag indicating that X11 forwarding
284: should be permitted. X11 forwarding will
1.4 djm 285: be refused if this option is absent.
1.1 djm 286:
287: permit-agent-forwarding empty Flag indicating that agent forwarding
288: should be allowed. Agent forwarding
289: must not be permitted unless this
1.4 djm 290: option is present.
1.1 djm 291:
292: permit-port-forwarding empty Flag indicating that port-forwarding
1.4 djm 293: should be allowed. If this option is
1.1 djm 294: not present then no port forwarding will
295: be allowed.
296:
297: permit-pty empty Flag indicating that PTY allocation
298: should be permitted. In the absence of
1.4 djm 299: this option PTY allocation will be
1.1 djm 300: disabled.
301:
302: permit-user-rc empty Flag indicating that execution of
303: ~/.ssh/rc should be permitted. Execution
304: of this script will not be permitted if
1.4 djm 305: this option is not present.
1.1 djm 306:
1.16 ! djm 307: $OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $