Re: Support for certificate based authentication

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On Wed, 2020-07-01 at 15:23 +0530, rakesh babu wrote:
> Hello Everyone,
> 
> I Am trying to integrate libssh with netconf. (both at client &
> server)
> 
> As part of the integration, I came across 'public-key'
> authentication.
> Also, I found more articles that recommend using certificates over
> actual
> keys which is because of ease of use and more control over key-
> management,
> expiration, etc.
> 
> Found below available APIs from source code:
> Support to load certificate is available in *pki_import_cert_buffer*.
> (pki.c)
> Support to load public-key and private key is available. (pki.c)
> 
> Gone through the examples available in 'libssh/libssh-0.9/examples',
> but
> couldn't find callbacks to achieve certificate based login,
> - Loading CA certificate on the client-side to authenticate the
> server
> certificate.
> - Certificate of the client loaded at the server to authenticate the
> client.
> 
> Can anyone please guide me through the process to load
> keys/certificates to
> achieve 'single sign-on' or provide any links if any.

Libssh can read certificates and use them as any other key files in
client. But if I remember well, it does not interpret their content
(treats their content as blobs) so the server side verification of such
certificate is something that needs to be implemented (preferred) or
needs to be handled outside of libssh.

The certificates used in libssh are the same certificates as in
OpenSSH, which are nicely described in manual pages:

https://man.openbsd.org/ssh-keygen.1#CERTIFICATES

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.