xref: /freebsd/crypto/openssh/PROTOCOL.certkeys (revision ea825d02749f382c3f7e17f28247f20a48733eab) 
1This document describes a simple public-key certificate authentication
2system for use by SSH.
3
4Background
5----------
6
7The SSH protocol currently supports a simple public key authentication
8mechanism. Unlike other public key implementations, SSH eschews the use
9of X.509 certificates and uses raw keys. This approach has some benefits
10relating to simplicity of configuration and minimisation of attack
11surface, but it does not support the important use-cases of centrally
12managed, passwordless authentication and centrally certified host keys.
13
14These protocol extensions build on the simple public key authentication
15system already in SSH to allow certificate-based authentication. The
16certificates used are not traditional X.509 certificates, with numerous
17options and complex encoding rules, but something rather more minimal: a
18key, some identity information and usage options that have been signed
19with some other trusted key.
20
21A sshd server may be configured to allow authentication via certified
22keys, by extending the existing ~/.ssh/authorized_keys mechanism to
23allow specification of certification authority keys in addition to
24raw user keys. The ssh client will support automatic verification of
25acceptance of certified host keys, by adding a similar ability to
26specify CA keys in ~/.ssh/known_hosts.
27
28Certified keys are represented using new key types:
29
30    ssh-rsa-cert-v01@openssh.com
31    ssh-dss-cert-v01@openssh.com
32    ecdsa-sha2-nistp256-cert-v01@openssh.com
33    ecdsa-sha2-nistp384-cert-v01@openssh.com
34    ecdsa-sha2-nistp521-cert-v01@openssh.com
35
36These include certification information along with the public key
37that is used to sign challenges. ssh-keygen performs the CA signing
38operation.
39
40Protocol extensions
41-------------------
42
43The SSH wire protocol includes several extensibility mechanisms.
44These modifications shall take advantage of namespaced public key
45algorithm names to add support for certificate authentication without
46breaking the protocol - implementations that do not support the
47extensions will simply ignore them.
48
49Authentication using the new key formats described below proceeds
50using the existing SSH "publickey" authentication method described
51in RFC4252 section 7.
52
53New public key formats
54----------------------
55
56The certificate key types take a similar high-level format (note: data
57types and encoding are as per RFC4251 section 5). The serialised wire
58encoding of these certificates is also used for storing them on disk.
59
60#define SSH_CERT_TYPE_USER    1
61#define SSH_CERT_TYPE_HOST    2
62
63RSA certificate
64
65    string    "ssh-rsa-cert-v01@openssh.com"
66    string    nonce
67    mpint     e
68    mpint     n
69    uint64    serial
70    uint32    type
71    string    key id
72    string    valid principals
73    uint64    valid after
74    uint64    valid before
75    string    critical options
76    string    extensions
77    string    reserved
78    string    signature key
79    string    signature
80
81DSA certificate
82
83    string    "ssh-dss-cert-v01@openssh.com"
84    string    nonce
85    mpint     p
86    mpint     q
87    mpint     g
88    mpint     y
89    uint64    serial
90    uint32    type
91    string    key id
92    string    valid principals
93    uint64    valid after
94    uint64    valid before
95    string    critical options
96    string    extensions
97    string    reserved
98    string    signature key
99    string    signature
100
101ECDSA certificate
102
103    string    "ecdsa-sha2-nistp256-v01@openssh.com" |
104              "ecdsa-sha2-nistp384-v01@openssh.com" |
105              "ecdsa-sha2-nistp521-v01@openssh.com"
106    string    nonce
107    string    curve
108    string    public_key
109    uint64    serial
110    uint32    type
111    string    key id
112    string    valid principals
113    uint64    valid after
114    uint64    valid before
115    string    critical options
116    string    extensions
117    string    reserved
118    string    signature key
119    string    signature
120
121ED25519 certificate
122
123    string    "ssh-ed25519-cert-v01@openssh.com"
124    string    nonce
125    string    pk
126    uint64    serial
127    uint32    type
128    string    key id
129    string    valid principals
130    uint64    valid after
131    uint64    valid before
132    string    critical options
133    string    extensions
134    string    reserved
135    string    signature key
136    string    signature
137
138The nonce field is a CA-provided random bitstring of arbitrary length
139(but typically 16 or 32 bytes) included to make attacks that depend on
140inducing collisions in the signature hash infeasible.
141
142e and n are the RSA exponent and public modulus respectively.
143
144p, q, g, y are the DSA parameters as described in FIPS-186-2.
145
146curve and public key are respectively the ECDSA "[identifier]" and "Q"
147defined in section 3.1 of RFC5656.
148
149pk is the encoded Ed25519 public key as defined by
150draft-josefsson-eddsa-ed25519-03.
151
152serial is an optional certificate serial number set by the CA to
153provide an abbreviated way to refer to certificates from that CA.
154If a CA does not wish to number its certificates it must set this
155field to zero.
156
157type specifies whether this certificate is for identification of a user
158or a host using a SSH_CERT_TYPE_... value.
159
160key id is a free-form text field that is filled in by the CA at the time
161of signing; the intention is that the contents of this field are used to
162identify the identity principal in log messages.
163
164"valid principals" is a string containing zero or more principals as
165strings packed inside it. These principals list the names for which this
166certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
167usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
168zero-length "valid principals" field means the certificate is valid for
169any principal of the specified type.
170
171"valid after" and "valid before" specify a validity period for the
172certificate. Each represents a time in seconds since 1970-01-01
17300:00:00. A certificate is considered valid if:
174
175    valid after <= current time < valid before
176
177criticial options is a set of zero or more key options encoded as
178below. All such options are "critical" in the sense that an implementation
179must refuse to authorise a key that has an unrecognised option.
180
181extensions is a set of zero or more optional extensions. These extensions
182are not critical, and an implementation that encounters one that it does
183not recognise may safely ignore it.
184
185Generally, critical options are used to control features that restrict
186access where extensions are used to enable features that grant access.
187This ensures that certificates containing unknown restrictions do not
188inadvertently grant access while allowing new protocol features to be
189enabled via extensions without breaking certificates' backwards
190compatibility.
191
192The reserved field is currently unused and is ignored in this version of
193the protocol.
194
195signature key contains the CA key used to sign the certificate.
196The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types
197ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"
198certificates, where the signature key type is a certificate type itself
199are NOT supported. Note that it is possible for a RSA certificate key to
200be signed by a DSS or ECDSA CA key and vice-versa.
201
202signature is computed over all preceding fields from the initial string
203up to, and including the signature key. Signatures are computed and
204encoded according to the rules defined for the CA's public key algorithm
205(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
206types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
207
208Critical options
209----------------
210
211The critical options section of the certificate specifies zero or more
212options on the certificates validity. The format of this field
213is a sequence of zero or more tuples:
214
215    string       name
216    string       data
217
218Options must be lexically ordered by "name" if they appear in the
219sequence. Each named option may only appear once in a certificate.
220
221The name field identifies the option and the data field encodes
222option-specific information (see below). All options are
223"critical", if an implementation does not recognise a option
224then the validating party should refuse to accept the certificate.
225
226No critical options are defined for host certificates at present. The
227supported user certificate options and the contents and structure of
228their data fields are:
229
230Name                    Format        Description
231-----------------------------------------------------------------------------
232force-command           string        Specifies a command that is executed
233                                      (replacing any the user specified on the
234                                      ssh command-line) whenever this key is
235                                      used for authentication.
236
237source-address          string        Comma-separated list of source addresses
238                                      from which this certificate is accepted
239                                      for authentication. Addresses are
240                                      specified in CIDR format (nn.nn.nn.nn/nn
241                                      or hhhh::hhhh/nn).
242                                      If this option is not present then
243                                      certificates may be presented from any
244                                      source address.
245
246Extensions
247----------
248
249The extensions section of the certificate specifies zero or more
250non-critical certificate extensions. The encoding and ordering of
251extensions in this field is identical to that of the critical options,
252as is the requirement that each name appear only once.
253
254If an implementation does not recognise an extension, then it should
255ignore it.
256
257No extensions are defined for host certificates at present. The
258supported user certificate extensions and the contents and structure of
259their data fields are:
260
261Name                    Format        Description
262-----------------------------------------------------------------------------
263permit-X11-forwarding   empty         Flag indicating that X11 forwarding
264                                      should be permitted. X11 forwarding will
265                                      be refused if this option is absent.
266
267permit-agent-forwarding empty         Flag indicating that agent forwarding
268                                      should be allowed. Agent forwarding
269                                      must not be permitted unless this
270                                      option is present.
271
272permit-port-forwarding  empty         Flag indicating that port-forwarding
273                                      should be allowed. If this option is
274                                      not present then no port forwarding will
275                                      be allowed.
276
277permit-pty              empty         Flag indicating that PTY allocation
278                                      should be permitted. In the absence of
279                                      this option PTY allocation will be
280                                      disabled.
281
282permit-user-rc          empty         Flag indicating that execution of
283                                      ~/.ssh/rc should be permitted. Execution
284                                      of this script will not be permitted if
285                                      this option is not present.
286
287$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $
288