Windows – How to use OpenSSH certificates on Windows

authenticationsshssh-keyswindows

OpenSSH supports signing user keys with a certificate authority. From man ssh-keygen:

ssh-keygen supports signing of keys to produce certificates that may
be used for user or host authentication.  Certificates consist of a
public key, some identity information, zero or more principal (user
or host) names and a set of options that are signed by a Certification
Authority (CA) key

In a pure Linux environment SSH certificates are quite easy to use. No problem for the server part (TrustedUserCAKeys) and on the client side ssh -i does the right job.

I need to be able to use OpenSSH certificates from a Windows SSH client (the project is to deliver short-living SSH certificates to sysadmins Windows workstations after they have authenticated themselves using a company specific auth scheme).

Cygwin is not an option (killing a fly with a hammer, and probably not acceptable by Windows admins), PuTTY does not recognize OpenSSH certificates.

What would be other options?

Best Answer

If you can't end up figuring out a way to use the certs with PuTTY. There are lighter-weight ways to get the actual OpenSSH client on a Windows box than Cygwin. The most likely candidate that comes to mind is the Windows distribution of Git.

There's a standard installable version or a portable version that you can just unzip and run. It's basically bash, git, and ssh.

Slightly heavier, but at least native to the OS is the Windows Subsystem for Linux which could work if you have Windows 10 anniversary update or later.

Related Solutions

SSH – Stop Client from Offering All Public Keys

This is expected behaviour according to the man page of ssh_config:

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

Basically, specifying IdentityFiles just adds keys to a current list the SSH agent already presented to the client.

Try overriding this behaviour with this at the bottom of your .ssh/config file:

Host *
  IdentitiesOnly yes

You can also override this setting on the host level, e.g.:

Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes

OpenSSH – Docs for CA-Based Certificate Authentication

Indeed, the docs do look rather sparse. The PROTOCOL.certkeys file is probably your best place to go for low-level documentation re: this feature.

re: using intermediate CA's, have a look at this quote from that doc:

"Chained" certificates, where the signature key type is a certificate type itself are NOT supported.

If I'm reading that right then using an intermediate CA is expressly not possible. In general, it looks like this is a really, really bare-bones PKI implementation and you should probably throw out most of what you'd expect in an X.509 PKI world.

Best Answer

Related Solutions

SSH – Stop Client from Offering All Public Keys

OpenSSH – Docs for CA-Based Certificate Authentication

Related Topic