Annotation of src/usr.bin/ssh/PROTOCOL.certkeys, Revision 1.9
1.1 djm 1: This document describes a simple public-key certificate authentication
2: system for use by SSH.
3:
4: Background
5: ----------
6:
7: The SSH protocol currently supports a simple public key authentication
1.8 djm 8: mechanism. Unlike other public key implementations, SSH eschews the use
9: of X.509 certificates and uses raw keys. This approach has some benefits
10: relating to simplicity of configuration and minimisation of attack
11: surface, but it does not support the important use-cases of centrally
12: managed, passwordless authentication and centrally certified host keys.
1.1 djm 13:
14: These protocol extensions build on the simple public key authentication
1.8 djm 15: system already in SSH to allow certificate-based authentication. The
16: certificates used are not traditional X.509 certificates, with numerous
17: options and complex encoding rules, but something rather more minimal: a
18: key, some identity information and usage options that have been signed
19: with some other trusted key.
1.1 djm 20:
21: A sshd server may be configured to allow authentication via certified
1.8 djm 22: keys, by extending the existing ~/.ssh/authorized_keys mechanism to
23: allow specification of certification authority keys in addition to
24: raw user keys. The ssh client will support automatic verification of
25: acceptance of certified host keys, by adding a similar ability to
26: specify CA keys in ~/.ssh/known_hosts.
27:
28: Certified keys are represented using new key types:
29:
30: ssh-rsa-cert-v01@openssh.com
31: ssh-dss-cert-v01@openssh.com
32: ecdsa-sha2-nistp256-cert-v01@openssh.com
33: ecdsa-sha2-nistp384-cert-v01@openssh.com
34: ecdsa-sha2-nistp521-cert-v01@openssh.com
35:
36: These include certification information along with the public key
37: that is used to sign challenges. ssh-keygen performs the CA signing
38: operation.
1.1 djm 39:
40: Protocol extensions
41: -------------------
42:
43: The SSH wire protocol includes several extensibility mechanisms.
44: These modifications shall take advantage of namespaced public key
45: algorithm names to add support for certificate authentication without
46: breaking the protocol - implementations that do not support the
47: extensions will simply ignore them.
48:
49: Authentication using the new key formats described below proceeds
50: using the existing SSH "publickey" authentication method described
51: in RFC4252 section 7.
52:
53: New public key formats
54: ----------------------
55:
1.8 djm 56: The certificate key types take a similar high-level format (note: data
57: types and encoding are as per RFC4251 section 5). The serialised wire
58: encoding of these certificates is also used for storing them on disk.
1.1 djm 59:
60: #define SSH_CERT_TYPE_USER 1
61: #define SSH_CERT_TYPE_HOST 2
62:
63: RSA certificate
64:
1.4 djm 65: string "ssh-rsa-cert-v01@openssh.com"
66: string nonce
1.1 djm 67: mpint e
68: mpint n
1.4 djm 69: uint64 serial
1.1 djm 70: uint32 type
71: string key id
72: string valid principals
73: uint64 valid after
74: uint64 valid before
1.4 djm 75: string critical options
76: string extensions
1.1 djm 77: string reserved
78: string signature key
79: string signature
80:
81: DSA certificate
82:
1.4 djm 83: string "ssh-dss-cert-v01@openssh.com"
84: string nonce
1.1 djm 85: mpint p
86: mpint q
87: mpint g
88: mpint y
1.4 djm 89: uint64 serial
1.1 djm 90: uint32 type
91: string key id
92: string valid principals
93: uint64 valid after
94: uint64 valid before
1.4 djm 95: string critical options
96: string extensions
1.1 djm 97: string reserved
98: string signature key
99: string signature
100:
1.8 djm 101: ECDSA certificate
102:
103: string "ecdsa-sha2-nistp256@openssh.com" |
104: "ecdsa-sha2-nistp384@openssh.com" |
105: "ecdsa-sha2-nistp521@openssh.com"
106: string nonce
107: string curve
108: string public_key
109: uint64 serial
110: uint32 type
111: string key id
112: string valid principals
113: uint64 valid after
114: uint64 valid before
115: string critical options
116: string extensions
117: string reserved
118: string signature key
119: string signature
120:
1.4 djm 121: The nonce field is a CA-provided random bitstring of arbitrary length
122: (but typically 16 or 32 bytes) included to make attacks that depend on
123: inducing collisions in the signature hash infeasible.
124:
1.1 djm 125: e and n are the RSA exponent and public modulus respectively.
126:
127: p, q, g, y are the DSA parameters as described in FIPS-186-2.
128:
1.8 djm 129: curve and public key are respectively the ECDSA "[identifier]" and "Q"
130: defined in section 3.1 of RFC5656.
131:
1.4 djm 132: serial is an optional certificate serial number set by the CA to
133: provide an abbreviated way to refer to certificates from that CA.
1.5 djm 134: If a CA does not wish to number its certificates it must set this
1.4 djm 135: field to zero.
136:
1.1 djm 137: type specifies whether this certificate is for identification of a user
138: or a host using a SSH_CERT_TYPE_... value.
139:
140: key id is a free-form text field that is filled in by the CA at the time
141: of signing; the intention is that the contents of this field are used to
142: identify the identity principal in log messages.
143:
144: "valid principals" is a string containing zero or more principals as
145: strings packed inside it. These principals list the names for which this
146: certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
147: usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
148: zero-length "valid principals" field means the certificate is valid for
149: any principal of the specified type. XXX DNS wildcards?
150:
151: "valid after" and "valid before" specify a validity period for the
152: certificate. Each represents a time in seconds since 1970-01-01
153: 00:00:00. A certificate is considered valid if:
1.8 djm 154:
155: valid after <= current time < valid before
1.1 djm 156:
1.4 djm 157: criticial options is a set of zero or more key options encoded as
158: below. All such options are "critical" in the sense that an implementation
159: must refuse to authorise a key that has an unrecognised option.
160:
161: extensions is a set of zero or more optional extensions. These extensions
162: are not critical, and an implementation that encounters one that it does
1.6 djm 163: not recognise may safely ignore it.
1.1 djm 164:
1.9 ! djm 165: Generally, critical options are used to control features that restrict
! 166: access where extensions are used to enable features that grant access.
! 167: This ensures that certificates containing unknown restrictions do not
! 168: inadvertently grant access while allowing new protocol features to be
! 169: enabled via extensions without breaking certificates' backwards
! 170: compatibility.
! 171:
1.4 djm 172: The reserved field is currently unused and is ignored in this version of
1.1 djm 173: the protocol.
174:
175: signature key contains the CA key used to sign the certificate.
1.8 djm 176: The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types
177: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"
1.1 djm 178: certificates, where the signature key type is a certificate type itself
179: are NOT supported. Note that it is possible for a RSA certificate key to
1.8 djm 180: be signed by a DSS or ECDSA CA key and vice-versa.
1.1 djm 181:
182: signature is computed over all preceding fields from the initial string
183: up to, and including the signature key. Signatures are computed and
184: encoded according to the rules defined for the CA's public key algorithm
1.8 djm 185: (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
186: types).
1.1 djm 187:
1.4 djm 188: Critical options
189: ----------------
1.1 djm 190:
1.4 djm 191: The critical options section of the certificate specifies zero or more
192: options on the certificates validity. The format of this field
1.1 djm 193: is a sequence of zero or more tuples:
194:
195: string name
196: string data
197:
1.7 djm 198: Options must be lexically ordered by "name" if they appear in the
1.9 ! djm 199: sequence. Each named option may only appear once in a certificate.
1.7 djm 200:
1.4 djm 201: The name field identifies the option and the data field encodes
202: option-specific information (see below). All options are
203: "critical", if an implementation does not recognise a option
1.1 djm 204: then the validating party should refuse to accept the certificate.
205:
1.4 djm 206: The supported options and the contents and structure of their
1.1 djm 207: data fields are:
208:
209: Name Format Description
210: -----------------------------------------------------------------------------
211: force-command string Specifies a command that is executed
212: (replacing any the user specified on the
213: ssh command-line) whenever this key is
214: used for authentication.
215:
1.6 djm 216: source-address string Comma-separated list of source addresses
217: from which this certificate is accepted
218: for authentication. Addresses are
219: specified in CIDR format (nn.nn.nn.nn/nn
220: or hhhh::hhhh/nn).
221: If this option is not present then
222: certificates may be presented from any
223: source address.
224:
225: Extensions
226: ----------
227:
228: The extensions section of the certificate specifies zero or more
1.7 djm 229: non-critical certificate extensions. The encoding and ordering of
1.9 ! djm 230: extensions in this field is identical to that of the critical options,
! 231: as is the requirement that each name appear only once.
! 232:
1.7 djm 233: If an implementation does not recognise an extension, then it should
234: ignore it.
1.6 djm 235:
236: The supported extensions and the contents and structure of their data
237: fields are:
238:
239: Name Format Description
240: -----------------------------------------------------------------------------
1.1 djm 241: permit-X11-forwarding empty Flag indicating that X11 forwarding
242: should be permitted. X11 forwarding will
1.4 djm 243: be refused if this option is absent.
1.1 djm 244:
245: permit-agent-forwarding empty Flag indicating that agent forwarding
246: should be allowed. Agent forwarding
247: must not be permitted unless this
1.4 djm 248: option is present.
1.1 djm 249:
250: permit-port-forwarding empty Flag indicating that port-forwarding
1.4 djm 251: should be allowed. If this option is
1.1 djm 252: not present then no port forwarding will
253: be allowed.
254:
255: permit-pty empty Flag indicating that PTY allocation
256: should be permitted. In the absence of
1.4 djm 257: this option PTY allocation will be
1.1 djm 258: disabled.
259:
260: permit-user-rc empty Flag indicating that execution of
261: ~/.ssh/rc should be permitted. Execution
262: of this script will not be permitted if
1.4 djm 263: this option is not present.
1.1 djm 264:
1.9 ! djm 265: $OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $