[0xCMP]

Something rarely mentioned with SSH, but which there have been a few recent articles on HN about, are SSH certificates and the fact that you can use the PIV of a yubikey to do certificate management.

e.g. You can create a certificate which you load the public key of in to your servers (using initial access or baked in to some image) which the private key is loaded in the PIV of the YubiKey. Someone can then generate an SSH keypair and provide you their public key and you can generate an SSH Cert which allows them access to that server for the time and specific users you specify in the certificate. It requires using OpenSSH instead of something like libSSH2 (which most iOS clients are using instead unfortunately).

This is all the same thing actually as running your own TLS CA by the way so you can also use a yubikey to securely store a sub-CA used to create certificates for internal use.

[akerl_]

It’s worth noting that for “SSH certificates”, the leaf certs are not x509-based, and that you can’t put a CA-signed SSH user key onto a yubikey.

When yubikeys are used for SSH auth (either in GPG or PIV mode), they’re using the raw private key (either via GPG-agent or opensc, generally). The SSH client/server doesn’t get context about the identity, its trust relationships, etc.

This limits usage to trusting individual keys, rather than being able to trust “all keys signed by the CA”.

[count]

This seems to indicate you can: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PK...

('If an external key has been imported and a certificate already exists, skip step 2' - you can import a certificate signed by a CA, and OpenSSH allows you trust certs signed by a given CA.)

Am I missing something here where that doesn't work in this combo? Or are you referencing 'ssh keys' specifically, as opposed to 'certificates being used for ssh'?

[akerl_]

That doc doesn’t use a CA at all.

Step 1 has you import an existing RSA private key or generate one on the device.

In step 2, you self-sign the certificate. As noted in the doc, “The only use for the x509 certificate is to satisfy the PIV/PKCS #11 lib”. You can skip this, per the note in step 1, if your key is already signed.

In future steps, when you’re SSHing with the pkcs11 library, it’s using the public/private components of that RSA key. The certificate (any certificate) has to exist because PKCS11 needs that to cleanly view the public key, but the actual cert metadata, including issuer, is fully unused. Importing a cert signed by a CA has no impact on the result.

On the OpenSSH side, their “CA” support does not create signed leaf x509 certificates. You trust a cert public key, and it signs an OpenSSH-specific representation of user/host public key. OpenSSH then has a special public key type for authenticating using that signed key. As such, PIV/PKCS11 keys, as far as I’m aware, cannot be used as part of OpenSSH’s “CA” support.

[elevation]

What token hardware does support x509 certs (and thus compatible with an SSH CA?)

[akerl_]

The Yubikey supports x509 certs (this is the PIV app). And you can use them for SSH authentication via opensc or similar. But this just uses the RSA private key, not the cert.

SSH’s built-in CA support uses a certificate authority private key to sign regular SSH public keys. The resulting public key cert isn’t compatible, as far as I know, with any hardware keys.