diff options
Diffstat (limited to 'PROTOCOL.certkeys')
-rw-r--r-- | PROTOCOL.certkeys | 89 |
1 files changed, 60 insertions, 29 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 1d1be13da..2f9764981 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys | |||
@@ -5,31 +5,37 @@ Background | |||
5 | ---------- | 5 | ---------- |
6 | 6 | ||
7 | The SSH protocol currently supports a simple public key authentication | 7 | The SSH protocol currently supports a simple public key authentication |
8 | mechanism. Unlike other public key implementations, SSH eschews the | 8 | mechanism. Unlike other public key implementations, SSH eschews the use |
9 | use of X.509 certificates and uses raw keys. This approach has some | 9 | of X.509 certificates and uses raw keys. This approach has some benefits |
10 | benefits relating to simplicity of configuration and minimisation | 10 | relating to simplicity of configuration and minimisation of attack |
11 | of attack surface, but it does not support the important use-cases | 11 | surface, but it does not support the important use-cases of centrally |
12 | of centrally managed, passwordless authentication and centrally | 12 | managed, passwordless authentication and centrally certified host keys. |
13 | certified host keys. | ||
14 | 13 | ||
15 | These protocol extensions build on the simple public key authentication | 14 | These protocol extensions build on the simple public key authentication |
16 | system already in SSH to allow certificate-based authentication. | 15 | system already in SSH to allow certificate-based authentication. The |
17 | The certificates used are not traditional X.509 certificates, with | 16 | certificates used are not traditional X.509 certificates, with numerous |
18 | numerous options and complex encoding rules, but something rather | 17 | options and complex encoding rules, but something rather more minimal: a |
19 | more minimal: a key, some identity information and usage options | 18 | key, some identity information and usage options that have been signed |
20 | that have been signed with some other trusted key. | 19 | with some other trusted key. |
21 | 20 | ||
22 | A sshd server may be configured to allow authentication via certified | 21 | A sshd server may be configured to allow authentication via certified |
23 | keys, by extending the existing ~/.ssh/authorized_keys mechanism | 22 | keys, by extending the existing ~/.ssh/authorized_keys mechanism to |
24 | to allow specification of certification authority keys in addition | 23 | allow specification of certification authority keys in addition to |
25 | to raw user keys. The ssh client will support automatic verification | 24 | raw user keys. The ssh client will support automatic verification of |
26 | of acceptance of certified host keys, by adding a similar ability | 25 | acceptance of certified host keys, by adding a similar ability to |
27 | to specify CA keys in ~/.ssh/known_hosts. | 26 | specify CA keys in ~/.ssh/known_hosts. |
28 | 27 | ||
29 | Certified keys are represented using two new key types: | 28 | Certified keys are represented using new key types: |
30 | ssh-rsa-cert-v01@openssh.com and ssh-dss-cert-v01@openssh.com that | 29 | |
31 | include certification information along with the public key that is used | 30 | ssh-rsa-cert-v01@openssh.com |
32 | to sign challenges. ssh-keygen performs the CA signing operation. | 31 | ssh-dss-cert-v01@openssh.com |
32 | ecdsa-sha2-nistp256-cert-v01@openssh.com | ||
33 | ecdsa-sha2-nistp384-cert-v01@openssh.com | ||
34 | ecdsa-sha2-nistp521-cert-v01@openssh.com | ||
35 | |||
36 | These include certification information along with the public key | ||
37 | that is used to sign challenges. ssh-keygen performs the CA signing | ||
38 | operation. | ||
33 | 39 | ||
34 | Protocol extensions | 40 | Protocol extensions |
35 | ------------------- | 41 | ------------------- |
@@ -47,10 +53,9 @@ in RFC4252 section 7. | |||
47 | New public key formats | 53 | New public key formats |
48 | ---------------------- | 54 | ---------------------- |
49 | 55 | ||
50 | The ssh-rsa-cert-v01@openssh.com and ssh-dss-cert-v01@openssh.com key | 56 | The certificate key types take a similar high-level format (note: data |
51 | types take a similar high-level format (note: data types and | 57 | types and encoding are as per RFC4251 section 5). The serialised wire |
52 | encoding are as per RFC4251 section 5). The serialised wire encoding of | 58 | encoding of these certificates is also used for storing them on disk. |
53 | these certificates is also used for storing them on disk. | ||
54 | 59 | ||
55 | #define SSH_CERT_TYPE_USER 1 | 60 | #define SSH_CERT_TYPE_USER 1 |
56 | #define SSH_CERT_TYPE_HOST 2 | 61 | #define SSH_CERT_TYPE_HOST 2 |
@@ -93,6 +98,26 @@ DSA certificate | |||
93 | string signature key | 98 | string signature key |
94 | string signature | 99 | string signature |
95 | 100 | ||
101 | ECDSA certificate | ||
102 | |||
103 | string "ecdsa-sha2-nistp256@openssh.com" | | ||
104 | "ecdsa-sha2-nistp384@openssh.com" | | ||
105 | "ecdsa-sha2-nistp521@openssh.com" | ||
106 | string nonce | ||
107 | string curve | ||
108 | string public_key | ||
109 | uint64 serial | ||
110 | uint32 type | ||
111 | string key id | ||
112 | string valid principals | ||
113 | uint64 valid after | ||
114 | uint64 valid before | ||
115 | string critical options | ||
116 | string extensions | ||
117 | string reserved | ||
118 | string signature key | ||
119 | string signature | ||
120 | |||
96 | The nonce field is a CA-provided random bitstring of arbitrary length | 121 | The nonce field is a CA-provided random bitstring of arbitrary length |
97 | (but typically 16 or 32 bytes) included to make attacks that depend on | 122 | (but typically 16 or 32 bytes) included to make attacks that depend on |
98 | inducing collisions in the signature hash infeasible. | 123 | inducing collisions in the signature hash infeasible. |
@@ -101,6 +126,9 @@ e and n are the RSA exponent and public modulus respectively. | |||
101 | 126 | ||
102 | p, q, g, y are the DSA parameters as described in FIPS-186-2. | 127 | p, q, g, y are the DSA parameters as described in FIPS-186-2. |
103 | 128 | ||
129 | curve and public key are respectively the ECDSA "[identifier]" and "Q" | ||
130 | defined in section 3.1 of RFC5656. | ||
131 | |||
104 | serial is an optional certificate serial number set by the CA to | 132 | serial is an optional certificate serial number set by the CA to |
105 | provide an abbreviated way to refer to certificates from that CA. | 133 | provide an abbreviated way to refer to certificates from that CA. |
106 | If a CA does not wish to number its certificates it must set this | 134 | If a CA does not wish to number its certificates it must set this |
@@ -123,7 +151,8 @@ any principal of the specified type. XXX DNS wildcards? | |||
123 | "valid after" and "valid before" specify a validity period for the | 151 | "valid after" and "valid before" specify a validity period for the |
124 | certificate. Each represents a time in seconds since 1970-01-01 | 152 | certificate. Each represents a time in seconds since 1970-01-01 |
125 | 00:00:00. A certificate is considered valid if: | 153 | 00:00:00. A certificate is considered valid if: |
126 | valid after <= current time < valid before | 154 | |
155 | valid after <= current time < valid before | ||
127 | 156 | ||
128 | criticial options is a set of zero or more key options encoded as | 157 | criticial options is a set of zero or more key options encoded as |
129 | below. All such options are "critical" in the sense that an implementation | 158 | below. All such options are "critical" in the sense that an implementation |
@@ -137,15 +166,17 @@ The reserved field is currently unused and is ignored in this version of | |||
137 | the protocol. | 166 | the protocol. |
138 | 167 | ||
139 | signature key contains the CA key used to sign the certificate. | 168 | signature key contains the CA key used to sign the certificate. |
140 | The valid key types for CA keys are ssh-rsa and ssh-dss. "Chained" | 169 | The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types |
170 | ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" | ||
141 | certificates, where the signature key type is a certificate type itself | 171 | certificates, where the signature key type is a certificate type itself |
142 | are NOT supported. Note that it is possible for a RSA certificate key to | 172 | are NOT supported. Note that it is possible for a RSA certificate key to |
143 | be signed by a DSS CA key and vice-versa. | 173 | be signed by a DSS or ECDSA CA key and vice-versa. |
144 | 174 | ||
145 | signature is computed over all preceding fields from the initial string | 175 | signature is computed over all preceding fields from the initial string |
146 | up to, and including the signature key. Signatures are computed and | 176 | up to, and including the signature key. Signatures are computed and |
147 | encoded according to the rules defined for the CA's public key algorithm | 177 | encoded according to the rules defined for the CA's public key algorithm |
148 | (RFC4253 section 6.6 for ssh-rsa and ssh-dss). | 178 | (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA |
179 | types). | ||
149 | 180 | ||
150 | Critical options | 181 | Critical options |
151 | ---------------- | 182 | ---------------- |
@@ -222,4 +253,4 @@ permit-user-rc empty Flag indicating that execution of | |||
222 | of this script will not be permitted if | 253 | of this script will not be permitted if |
223 | this option is not present. | 254 | this option is not present. |
224 | 255 | ||
225 | $OpenBSD: PROTOCOL.certkeys,v 1.7 2010/08/04 05:40:39 djm Exp $ | 256 | $OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $ |