Hacker News new | ask | show | jobs
by akerl_ 2193 days ago
It’s worth noting that for “SSH certificates”, the leaf certs are not x509-based, and that you can’t put a CA-signed SSH user key onto a yubikey.

When yubikeys are used for SSH auth (either in GPG or PIV mode), they’re using the raw private key (either via GPG-agent or opensc, generally). The SSH client/server doesn’t get context about the identity, its trust relationships, etc.

This limits usage to trusting individual keys, rather than being able to trust “all keys signed by the CA”.
2 comments
count 2193 days ago
This seems to indicate you can: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PK...

('If an external key has been imported and a certificate already exists, skip step 2' - you can import a certificate signed by a CA, and OpenSSH allows you trust certs signed by a given CA.)

Am I missing something here where that doesn't work in this combo? Or are you referencing 'ssh keys' specifically, as opposed to 'certificates being used for ssh'?

link
akerl_ 2193 days ago
That doc doesn’t use a CA at all.

Step 1 has you import an existing RSA private key or generate one on the device.

In step 2, you self-sign the certificate. As noted in the doc, “The only use for the x509 certificate is to satisfy the PIV/PKCS #11 lib”. You can skip this, per the note in step 1, if your key is already signed.

In future steps, when you’re SSHing with the pkcs11 library, it’s using the public/private components of that RSA key. The certificate (any certificate) has to exist because PKCS11 needs that to cleanly view the public key, but the actual cert metadata, including issuer, is fully unused. Importing a cert signed by a CA has no impact on the result.

On the OpenSSH side, their “CA” support does not create signed leaf x509 certificates. You trust a cert public key, and it signs an OpenSSH-specific representation of user/host public key. OpenSSH then has a special public key type for authenticating using that signed key. As such, PIV/PKCS11 keys, as far as I’m aware, cannot be used as part of OpenSSH’s “CA” support.

link
elevation 2193 days ago
What token hardware does support x509 certs (and thus compatible with an SSH CA?)
link
akerl_ 2193 days ago
The Yubikey supports x509 certs (this is the PIV app). And you can use them for SSH authentication via opensc or similar. But this just uses the RSA private key, not the cert.

SSH’s built-in CA support uses a certificate authority private key to sign regular SSH public keys. The resulting public key cert isn’t compatible, as far as I know, with any hardware keys.

link