Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: CertAuthority principal support #1

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

WIP: CertAuthority principal support #1

wants to merge 14 commits into from

Conversation

jage
Copy link

@jage jage commented Jun 1, 2023
edited
Loading

Implement principal verification for certificates.

The connecting client must verify that it is connecting to the correct server by verifying that the certificate is from a trusted authority (already implemented in Net-SSH), but this implements the verifications of the principal, i.e. matching hostname we are connecting to and certificate, and also validity for the certificate.

Without this a bug or attack could cause a connection to be redirected to another server signed by the same certificate authority, without the client knowing.

Example data from host certificate.

ubuntu@dev-eager-red-fish-01:/etc/ssh$ ssh-keygen -L -f ssh_host_ed25519_key-cert.pub
ssh_host_ed25519_key-cert.pub:
        Type: [email protected] host certificate
        Public key: ED25519-CERT SHA256:QpdPXoI3aHXKbDrGeFUV+qPryfFJ6Qj95H1bf/kkb9E
        Signing CA: ED25519 SHA256:fcgMyZZM0Oo7rp+LHFcuWTLh3rBpyJOyHWRD4ULqigA (using ssh-ed25519)
        Key ID: "dev-eager-red-fish-01.rmq6.dev.cloudamqp.com"
        Serial: 0
        Valid: from 2024-03-15T13:19:00 to 2024-06-13T13:20:56
        Principals:
                dev-eager-red-fish-01.rmq6.dev.cloudamqp.com
        Critical Options: (none)
        Extensions: (none)

DO NOT MERGE THIS.

Just want a PR to run CI right now.

  • Test expired certificate
  • Test certificate without any principal listed

jage and others added 14 commits May 30, 2023 16:46
@jage
Initial CertAuthority prinical verification code
1786120
@jage
Further work on host principal verification
e84fb2e
@jage
Improve error message
027f6ae
@jage
Must keep all hostnames/ips to not break "check_host_ip" option
a71b280 
Make sure check_host_ip option works as expected

The host scrubbing issue was specific to the new matches_principal
@jage
Make rubocop happy
0d4d6ac
@jage
Fix Dockerfile: Specify netcat package
be20127 
Would fail otherwise, as there's two netcat's

    Package netcat is a virtual package provided by:
      netcat-openbsd 1.219-1
      netcat-traditional 1.10-47

    E: Package 'netcat' has no installation candidate
@jage
Refactor
aa171f0
@jage
Lint fix
4897e18
@jage
Refactor: Improve readability of verifier
d3dbaa8
@jage
Implement validity check
e92a22b
@jage
Fix: Remove debug statements
5af2e07
@jage
Remove breakpoint
a2353dd
@jage
TODO test matches_validity?
3ba4c06
@walro
Merge branch 'master' into verify-principal
e7bae87
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jage @walro