SSH certificates

[ikewinski]

I'd like to migrate from existing static ssh rsa keys to ssh certificates, ideally with both user and host certificate validation. To do this on other unix-like hosts I add a few lines to sshd_config:

Code: [Select]

HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /etc/ssh/user_ca.key.pub
RevokedKeys /etc/ssh/revocation_list.krl
And then create the three files and restart sshd.

I'm coming from pfsense where there's an /etc/sshd_extra file that makes this easy enough. I'm unable to find a comparable file in OPNsense. I see that /usr/local/etc/ssh/sshd_config is generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc and assume that I could modify openssh.inc, but risk having my changes broken by upgrades. What's the right way to add some sshd config elements? And should the certificates and revocation list be stored in /etc/ssh or /usr/local/etc/ssh?

[ikewinski]

Can anyone advise the best place to install certificates?

/etc/ssh
/usr/local/etc/ssh
/conf/sshd

Since host keys are in /conf/sshd my instinct says that is the best place. But I don't want to find out later that this directory is cleared during an upgrade and I lose my login access.

[ikewinski]

In case anyone comes across this thread, I can confirm that installing certificates into /conf/sshd/ works fine, along with these modifications to /usr/local/etc/inc/plugins.inc.d/openssh.inc (we're disabling all host keys except ed25519 here too).

I do not know if any of this is going to survive an upgrade and have made a backup copy of /usr/local/etc/inc/plugins.inc.d/openssh.inc

Code: [Select]

# diff -u old-openssh.inc new-openssh.inc
--- old-openssh.inc     2023-12-15 09:36:28.527924000 -0700
+++ new-openssh.inc     2023-12-15 09:35:44.361945000 -0700
@@ -125,8 +125,8 @@
 
     $keys = array(
         /* .pub files are implied */
-        'rsa' => 'ssh_host_rsa_key',
-        'ecdsa' => 'ssh_host_ecdsa_key',
+        /* 'rsa' => 'ssh_host_rsa_key', */
+        /* 'ecdsa' => 'ssh_host_ecdsa_key', */
         'ed25519' => 'ssh_host_ed25519_key',
     );
 
@@ -173,6 +173,9 @@
     $sshconf .= "X11Forwarding no\n";
     $sshconf .= "PubkeyAuthentication yes\n";
     $sshconf .= "Subsystem sftp internal-sftp\n";
+    $sshconf .= "HostCertificate /conf/sshd/ssh_host_ed25519_key-cert.pub\n";
+    $sshconf .= "TrustedUserCAKeys /conf/sshd/Massive_Networks_user_ca.key.pub\n";
+    $sshconf .= "RevokedKeys /conf/sshd/revocation_list.krl\n";
     $sshconf .= "AllowGroups wheel";
     if (!empty($sshcfg['group'][0])) {
         $sshconf .= " {$sshcfg['group'][0]}";

The file /conf/sshd/ssh_host_ed25519_key-cert.pub is the signed certificate based on /conf/sshd/ssh_host_ed25519_key.pub. This allows host certificate authentication.

The file /conf/sshd/user_ca.key.pub is our user CA public key. This allows user certificate authentication.

The file /conf/sshd/revocation_list.krl is generated initially with ssh-keygen -k -f /conf/sshd/revocation_list.krl

[ikewinski]

I'm sad to report that after upgrade my /usr/local/etc/inc/plugins.inc.d/openssh.inc is reverted. So this is not sustainable for us.

The method used by pfSense of importing /etc/sshd_extra seems ideal. Then the script can simply include it.