Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SSH certificates #137

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add support for SSH certificates #137

wants to merge 4 commits into from

Conversation

TimWolla
Copy link

@TimWolla TimWolla commented Jul 21, 2019
edited
Loading

see mscdex/ssh2#808

The biggest issue when debugging this was was that the code unconditionally used the key type as the signature type. For SSH certificates these do not match up. Apart from that the code already handled certificates well.

TimWolla added 2 commits July 20, 2019 01:38
@TimWolla
SSH2Stream: authPK: Rename algoLen to pubKeyTypeLen
8cda5c6 
This is in preparation to support SSH certificates, where the
signature type is different to the public key type.
@TimWolla
SSH2Stream: authPK: Add new signatureType variable
88943e6 
At this time it is identical to pubKeyType. It will differ
when SSH certificates are being used.
@TimWolla TimWolla mentioned this pull request Jul 21, 2019
Open
TimWolla added 2 commits July 21, 2019 17:23
@TimWolla
SSH2Stream: convertSignature: Convert the key type as well
a7abff5 
convertSignature was extended to convert certificate key types
into their underlying key types.
@TimWolla
keyParser: Properly parse ssh certificates
447a0c6 
getPublicSSH() will simply pass through the original key blob.
getPublicPEM() will return raw public key data of the certificate's
  public key, without incorporating the additional metadata.
@TimWolla
Copy link
Author

@mscdex Did you have time to take a look, yet?

@dsafanyuk
Copy link

Would love to have this merged! Using @TimWolla's changes works great in our tests.

@jisack
Copy link

jisack commented Mar 5, 2020

looking forward for this PR is merged.

@aadityabhatia
Copy link

Tested it -- works as expected with [email protected] and [email protected] user certificates. Anything I could do to help move this along?

@auphofBSF
Copy link

auphofBSF commented Jul 29, 2020
edited
Loading

I am trying to use this for SSH Certificate Authority authentication using Hashicorp VAULT SSH CA. I have the appropriate VAULT SSH CA key on the OpenSSH configured as in sshd_config
TrustedUserCAKeys.

On the client side I have a private key id_rsa_<user> and valid Vault SSH CA signed certificate id_rsa_<user>-cert.pub that i have attempted to use as the public_key in this ssh2 branch.

Note: This works perfectly from an openssh client in bash ssh -i id_rsa_<user> <user>@<server>

However I am unable to make work using this branch of SSH2. I am testing with the modified SSH2 example https://github.com/mscdex/ssh2#execute-uptime-on-a-server

I get the error: Error('publicKey does not belong to the private key')

Thank you for your work in this PR

var Client = require('ssh2').Client;

var conn = new Client();
conn.on('ready', function() {
  console.log('Client :: ready');
  conn.exec('uptime', function(err, stream) {
    if (err) throw err;
    stream.on('close', function(code, signal) {
      console.log('Stream :: close :: code: ' + code + ', signal: ' + signal);
      conn.end();
    }).on('data', function(data) {
      console.log('STDOUT: ' + data);
    }).stderr.on('data', function(data) {
      console.log('STDERR: ' + data);
    });
  });
}).connect({
    host: '<server>',
    port: 22,
    username: '<user>',
    privateKey: require('fs').readFileSync('<full_path>/id_rsa_<user>'),
    publicKey: require('fs').readFileSync('<full_path>/id_rsa_<user>-cert.pub')
  });

@auphofBSF auphofBSF mentioned this pull request Aug 3, 2020
Open
dhensby
dhensby reviewed Mar 25, 2021
View reviewed changes
lib/ssh.js
switch (keyType) {
case '[email protected]':
case '[email protected]':
case 'ecdsa-sha2-nistp256':
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest this entire switch statement is unnecessary and you could just perform the replace blind. But this particular case statement seems redundant as it doesn't end in the appropriate string to qualify for the replace call?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact the two cases below are also identical. These should've been [email protected], [email protected], and [email protected].

Not going to fix it, because this PR realistically is not going to be merged due to the planned rewrite of this library.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not going to fix it, because this PR realistically is not going to be merged due to the planned rewrite of this library.

Are this issues the same in mscdex/ssh2#808 (which also "primarily awaits an updated PR")?

@maksspace maksspace mentioned this pull request Nov 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GitMensch GitMensch GitMensch left review comments

@dhensby dhensby dhensby left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@TimWolla @dsafanyuk @jisack @aadityabhatia @auphofBSF @dhensby @GitMensch