Annotation of src/usr.bin/ssh/PROTOCOL.certkeys, Revision 1.8
1.1 djm 1: This document describes a simple public-key certificate authentication
2: system for use by SSH.
3:
4: Background
5: ----------
6:
7: The SSH protocol currently supports a simple public key authentication
1.8 ! djm 8: mechanism. Unlike other public key implementations, SSH eschews the use
! 9: of X.509 certificates and uses raw keys. This approach has some benefits
! 10: relating to simplicity of configuration and minimisation of attack
! 11: surface, but it does not support the important use-cases of centrally
! 12: managed, passwordless authentication and centrally certified host keys.
1.1 djm 13:
14: These protocol extensions build on the simple public key authentication
1.8 ! djm 15: system already in SSH to allow certificate-based authentication. The
! 16: certificates used are not traditional X.509 certificates, with numerous
! 17: options and complex encoding rules, but something rather more minimal: a
! 18: key, some identity information and usage options that have been signed
! 19: with some other trusted key.
1.1 djm 20:
21: A sshd server may be configured to allow authentication via certified
1.8 ! djm 22: keys, by extending the existing ~/.ssh/authorized_keys mechanism to
! 23: allow specification of certification authority keys in addition to
! 24: raw user keys. The ssh client will support automatic verification of
! 25: acceptance of certified host keys, by adding a similar ability to
! 26: specify CA keys in ~/.ssh/known_hosts.
! 27:
! 28: Certified keys are represented using new key types:
! 29:
! 30: ssh-rsa-cert-v01@openssh.com
! 31: ssh-dss-cert-v01@openssh.com
! 32: ecdsa-sha2-nistp256-cert-v01@openssh.com
! 33: ecdsa-sha2-nistp384-cert-v01@openssh.com
! 34: ecdsa-sha2-nistp521-cert-v01@openssh.com
! 35:
! 36: These include certification information along with the public key
! 37: that is used to sign challenges. ssh-keygen performs the CA signing
! 38: operation.
1.1 djm 39:
40: Protocol extensions
41: -------------------
42:
43: The SSH wire protocol includes several extensibility mechanisms.
44: These modifications shall take advantage of namespaced public key
45: algorithm names to add support for certificate authentication without
46: breaking the protocol - implementations that do not support the
47: extensions will simply ignore them.
48:
49: Authentication using the new key formats described below proceeds
50: using the existing SSH "publickey" authentication method described
51: in RFC4252 section 7.
52:
53: New public key formats
54: ----------------------
55:
1.8 ! djm 56: The certificate key types take a similar high-level format (note: data
! 57: types and encoding are as per RFC4251 section 5). The serialised wire
! 58: encoding of these certificates is also used for storing them on disk.
1.1 djm 59:
60: #define SSH_CERT_TYPE_USER 1
61: #define SSH_CERT_TYPE_HOST 2
62:
63: RSA certificate
64:
1.4 djm 65: string "ssh-rsa-cert-v01@openssh.com"
66: string nonce
1.1 djm 67: mpint e
68: mpint n
1.4 djm 69: uint64 serial
1.1 djm 70: uint32 type
71: string key id
72: string valid principals
73: uint64 valid after
74: uint64 valid before
1.4 djm 75: string critical options
76: string extensions
1.1 djm 77: string reserved
78: string signature key
79: string signature
80:
81: DSA certificate
82:
1.4 djm 83: string "ssh-dss-cert-v01@openssh.com"
84: string nonce
1.1 djm 85: mpint p
86: mpint q
87: mpint g
88: mpint y
1.4 djm 89: uint64 serial
1.1 djm 90: uint32 type
91: string key id
92: string valid principals
93: uint64 valid after
94: uint64 valid before
1.4 djm 95: string critical options
96: string extensions
1.1 djm 97: string reserved
98: string signature key
99: string signature
100:
1.8 ! djm 101: ECDSA certificate
! 102:
! 103: string "ecdsa-sha2-nistp256@openssh.com" |
! 104: "ecdsa-sha2-nistp384@openssh.com" |
! 105: "ecdsa-sha2-nistp521@openssh.com"
! 106: string nonce
! 107: string curve
! 108: string public_key
! 109: uint64 serial
! 110: uint32 type
! 111: string key id
! 112: string valid principals
! 113: uint64 valid after
! 114: uint64 valid before
! 115: string critical options
! 116: string extensions
! 117: string reserved
! 118: string signature key
! 119: string signature
! 120:
1.4 djm 121: The nonce field is a CA-provided random bitstring of arbitrary length
122: (but typically 16 or 32 bytes) included to make attacks that depend on
123: inducing collisions in the signature hash infeasible.
124:
1.1 djm 125: e and n are the RSA exponent and public modulus respectively.
126:
127: p, q, g, y are the DSA parameters as described in FIPS-186-2.
128:
1.8 ! djm 129: curve and public key are respectively the ECDSA "[identifier]" and "Q"
! 130: defined in section 3.1 of RFC5656.
! 131:
1.4 djm 132: serial is an optional certificate serial number set by the CA to
133: provide an abbreviated way to refer to certificates from that CA.
1.5 djm 134: If a CA does not wish to number its certificates it must set this
1.4 djm 135: field to zero.
136:
1.1 djm 137: type specifies whether this certificate is for identification of a user
138: or a host using a SSH_CERT_TYPE_... value.
139:
140: key id is a free-form text field that is filled in by the CA at the time
141: of signing; the intention is that the contents of this field are used to
142: identify the identity principal in log messages.
143:
144: "valid principals" is a string containing zero or more principals as
145: strings packed inside it. These principals list the names for which this
146: certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
147: usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
148: zero-length "valid principals" field means the certificate is valid for
149: any principal of the specified type. XXX DNS wildcards?
150:
151: "valid after" and "valid before" specify a validity period for the
152: certificate. Each represents a time in seconds since 1970-01-01
153: 00:00:00. A certificate is considered valid if:
1.8 ! djm 154:
! 155: valid after <= current time < valid before
1.1 djm 156:
1.4 djm 157: criticial options is a set of zero or more key options encoded as
158: below. All such options are "critical" in the sense that an implementation
159: must refuse to authorise a key that has an unrecognised option.
160:
161: extensions is a set of zero or more optional extensions. These extensions
162: are not critical, and an implementation that encounters one that it does
1.6 djm 163: not recognise may safely ignore it.
1.1 djm 164:
1.4 djm 165: The reserved field is currently unused and is ignored in this version of
1.1 djm 166: the protocol.
167:
168: signature key contains the CA key used to sign the certificate.
1.8 ! djm 169: The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types
! 170: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"
1.1 djm 171: certificates, where the signature key type is a certificate type itself
172: are NOT supported. Note that it is possible for a RSA certificate key to
1.8 ! djm 173: be signed by a DSS or ECDSA CA key and vice-versa.
1.1 djm 174:
175: signature is computed over all preceding fields from the initial string
176: up to, and including the signature key. Signatures are computed and
177: encoded according to the rules defined for the CA's public key algorithm
1.8 ! djm 178: (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
! 179: types).
1.1 djm 180:
1.4 djm 181: Critical options
182: ----------------
1.1 djm 183:
1.4 djm 184: The critical options section of the certificate specifies zero or more
185: options on the certificates validity. The format of this field
1.1 djm 186: is a sequence of zero or more tuples:
187:
188: string name
189: string data
190:
1.7 djm 191: Options must be lexically ordered by "name" if they appear in the
192: sequence.
193:
1.4 djm 194: The name field identifies the option and the data field encodes
195: option-specific information (see below). All options are
196: "critical", if an implementation does not recognise a option
1.1 djm 197: then the validating party should refuse to accept the certificate.
198:
1.4 djm 199: The supported options and the contents and structure of their
1.1 djm 200: data fields are:
201:
202: Name Format Description
203: -----------------------------------------------------------------------------
204: force-command string Specifies a command that is executed
205: (replacing any the user specified on the
206: ssh command-line) whenever this key is
207: used for authentication.
208:
1.6 djm 209: source-address string Comma-separated list of source addresses
210: from which this certificate is accepted
211: for authentication. Addresses are
212: specified in CIDR format (nn.nn.nn.nn/nn
213: or hhhh::hhhh/nn).
214: If this option is not present then
215: certificates may be presented from any
216: source address.
217:
218: Extensions
219: ----------
220:
221: The extensions section of the certificate specifies zero or more
1.7 djm 222: non-critical certificate extensions. The encoding and ordering of
223: extensions in this field is identical to that of the critical options.
224: If an implementation does not recognise an extension, then it should
225: ignore it.
1.6 djm 226:
227: The supported extensions and the contents and structure of their data
228: fields are:
229:
230: Name Format Description
231: -----------------------------------------------------------------------------
1.1 djm 232: permit-X11-forwarding empty Flag indicating that X11 forwarding
233: should be permitted. X11 forwarding will
1.4 djm 234: be refused if this option is absent.
1.1 djm 235:
236: permit-agent-forwarding empty Flag indicating that agent forwarding
237: should be allowed. Agent forwarding
238: must not be permitted unless this
1.4 djm 239: option is present.
1.1 djm 240:
241: permit-port-forwarding empty Flag indicating that port-forwarding
1.4 djm 242: should be allowed. If this option is
1.1 djm 243: not present then no port forwarding will
244: be allowed.
245:
246: permit-pty empty Flag indicating that PTY allocation
247: should be permitted. In the absence of
1.4 djm 248: this option PTY allocation will be
1.1 djm 249: disabled.
250:
251: permit-user-rc empty Flag indicating that execution of
252: ~/.ssh/rc should be permitted. Execution
253: of this script will not be permitted if
1.4 djm 254: this option is not present.
1.1 djm 255:
1.8 ! djm 256: $OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $