OpenBSD Journal

OpenSSH's upcoming PKI

Contributed by deanna on from the building a better ssh dept.

Pierre-Yves Ritschard writes:

Daniel Hartmeier recently submitted to the OpenBSD tech mailing list a very interesting addition to OpenSSH, a PKI whose goal is to simplify host and user key administration.

While reading this, keep in mind that this is still in review, many have stated their opinions and criticism, and the code isn't imported in CVS right now. I'd also like to point out that the work dhartmei@ has done was sponsored by Allamanda Networks AG.

The starting point of all of this seems to be the state of key handling at large sites: a complete mess.

Of course various efforts exist (such as the ssh-lpk patch) to try and solve this situation. Mostly host and user keys are handled by a in-house solution at large sites (most of which involve a well-known distribution method such as rsync, rdist or cfengine). The basic problem with centralizing user and host keys is that your repository needs to be up at all times (which is why the ssh-lpk patch is problematic) and when half of your network is down, you really don't want to be scratching your head not understanding why you can't log-in to the machines that are still up.

So basically a good PKI needs to attend to these issues:

  • Handle the role of the known_hosts file
  • Handle the role of the authorized_keys file
  • Be network independant
  • Provide a way of quickly and sanely revoking keys
  • Rely on lightweight protocols, keep complicated libraries out of OpenSSH

dharmei@ implemented all of the above, and provided a patch to implement the feature. The functionality is dubbed certkey and relies on a CA created by ssh-keygen, and subsequent host and user keys created against this CA.

This PKI being network independant, the CA needs to be distributed to all hosts.

Bob Beck pointed out that this implementation had the flaw every PKI has, it does not provide a way of revoking keys quickly, in case of compromise. This was promptly fixed, a simple key validation daemon is now available ( announcement).

This project looks very promising and will probably be useful even at small sites.

(Comments are closed)

  1. By Brian ( on

    This is something I am glad to see. Using PKI cam help in many different situations. It is also good to see that if the CAL is under a DoS that a admin can still login using other means.

    Great job Daniel!!!!!!

  2. By Darrin Chandler ( on

    When I first read this on tech@ I was dubious, but others brought up my concerns and more. The response and further plans and work were well done.

    The original offline nature of the proposed PKI put me off, but I'm still waiting to see how things shape up. A robust PKI for ssh would be a boon for those who need it.

  3. By baldusi ( on

    Forgive my ignorance, but how does differs from a Kerberos implementation? In practical terms, of course.

    1. By Anonymous Coward ( on

      > Forgive my ignorance, but how does differs from a Kerberos implementation? In practical terms, of course.

      -One less thing to keep configured and audited.
      -Kerberos is a dog.

    2. By Janne Johansson ( on

      > Forgive my ignorance, but how does differs from a Kerberos implementation? In practical terms, of course.

      We do krb5 auth for host-keys too, but it wont help you if half your network is down, which was one of the major points to this exercise. It helps with the scaling problem of adding new hosts to large sites though.
      And it obviously helps if you already are doing krb5, since setting it up would be far more work than any kind of rsync-my-hostkeys solution.

  4. By Amir S Mesry ( on

    Hmm, Sounds very interesting, maybe and OpenPKI Suite in teh future? I wonder, could I use it with OpenVPN?

    1. By Joachim Schipper ( on

      I think this highly unlikely. SSH can more-or-less replace OpenVPN, though.


  5. By Krunch ( on

    How does this compare with Roumen Petrov's patch?

    1. By Ben Lindstrom ( mouring@nospam.eviladmin.or on

      > How does this compare with Roumen Petrov's patch?

      Ermm.. if I remember this is very different. This just adds in some of the X.509 stuff, but doesn't try to be a complete solutions like what is attempting to be done.

      I have to say the idea is interesting. I could see it being very useful even in my new environment.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]