Does OTP's ssh daemon support SSH w/certificates?

rlipscombe · November 19, 2022, 5:07pm

…and if so, how?

ingela · November 29, 2022, 8:14am

Do you mean X509 certificates as used with TLS (SSL)? Or do you mean OpenSSH “homebrew” simplified certificates?

rlipscombe · December 13, 2022, 5:07pm

I didn’t know there was a difference. I’ll do some more reading.

What I’m looking for is a way to allow SSH to the console, using public key authentication, but without the need to keep authorized_users synchronised across all nodes.

Ideally, we’d integrate with something AWS-aware that handed out short-term (hours, rather than days) client certs.

crownedgrouse · December 13, 2022, 7:34pm

See ssh_server_key_api
https://www.erlang.org/doc/man/ssh_server_key_api.html

rlipscombe · December 13, 2022, 8:18pm

I saw that, but it doesn’t seem to allow for checking a certificate chain. My thinking at the time was that we could just deploy a root cert to the nodes, and then validate the client cert against that. Kinda normal stuff (for TLS).

Are you suggesting, instead, that I use the is_auth_key callback (which takes the client’s public key) and check that against … something else … that either holds a centralised copy of the public key, or that handed out the keypair in the first place…?

Do you have any examples or documentation for how that might work…?

crownedgrouse · December 13, 2022, 8:58pm

Default callback is Erlang -- ssh_file
That use usual ssh certificates , with known_host and authorized_keys of system or user directory .
Those directories can be changed as parameters if those files are coming with a release, for instance , or if user running vm does not have access to system ones. Be aware that openssl is used under the hood so usual security access must be respected.

Creating a custom callback can be inspired of ssh_file.erl

crownedgrouse · December 13, 2022, 9:07pm

As reminder How To Set Correct SSH Directory Permissions in Linux

crownedgrouse · December 13, 2022, 9:12pm

Important rsa is deprecated by default on recent otp releases . Add this in sys.config as workaround .

{ssh, [{modify_algorithms,
[{append, [{kex,[‘diffie-hellman-group1-sha1’]}]}
,{prepend, [{public_key,[‘ssh-rsa’]}]}
]
}
]
}

rlipscombe · December 13, 2022, 9:20pm

You misunderstand. I know how to replace the implementation. I’m looking for examples where other people have done something like what I’m asking.

Are there any walkthroughs/examples/documentation where people have used a custom callback to avoid deploying new authorized_users in order to make changes?

sg2342 · December 14, 2022, 12:52am

I am not aware of any code that adds OpenSSH certificate based authentication to the (server part of the) erlang ssh application.

When i found nothing and tried to figure out what modifications to the ssh application would be needed to get this working i gave up at some point.

However, i do have the code to operate on OpenSSH certificates in my erlang SSH authentication agent application here: essh_pkt.erl, essh_cert.erl that might be of use.