Use of "no-touch-required" with "cert-authority"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Hello,

In testing security key support in OpenSSH 8.2, I had some trouble making the “no-touch-required” option in the authorized_keys file work in conjunction with OpenSSH certificates. I think I’ve figured it out, but I think there may be a bug in ssh-keygen related to this.

To make “no-touch-required” work with certificates, I actually had to do three things:

Generate the security key with touch disabled
Add “no-touch-required” as an extension when generating the certificate for this key
Add “no-touch-required” (along with “cert-authority”) in the authorized key entry on the server for the CA which signed the certificate

I would have expected that trusting a CA in authorized_keys along with the certificate having “no-touch-required” set to be enough to accept the key, without having to further override that explicitly in the authorized_keys entry. However, I can accept that you might want extra confirmation on the server that this certificate option should be trusted. Alternately, once that option was set in authorized_keys, I would have expected keys which don’t require presence to be accepted even without the certificate “no-touch-required” being set, similar to the non-certificate case.

Is that the intended behavior, to reject keys without presence unless BOTH options are set (in addition to the key itself not requiring presence)?

The other issue I ran across is that specifying “-O no-touch-required” when generating the certificate didn’t work, despite that being documented in the man page. It appears that ssh-keygen treats this keyword as an unknown “critical” value, rather than an “extension”. So, the generated certificate ended up looking something like:

        Critical Options: 
                no-touch-required UNKNOWN OPTION (len 0)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

To get it to be an extension, I had to use “-O extension:no-touch-required” as the option to ssh-keygen. Then, I saw:

        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
                no-touch-required

I’m guessing this is not the intended behavior, and that “no-touch-required” should have been recognized as an extension without the “extension:” prefix, just like the other options such as “no-agent-forwarding”.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux