www.libssh2.org | Daily snapshots | Mailing list archive | Docs | Examples | github

Archive Index This month's Index

Subject: User Certificate Authentication using the libssh2_userauth_publickey_frommemory C++ api

User Certificate Authentication using the libssh2_userauth_publickey_frommemory C++ api

From: Scott Yeager <dsyeager_at_thehouseofyeager.com>
Date: Wed, 23 Jan 2019 10:58:59 -0800

I have a C++ application that uses the
libssh2_userauth_publickey_frommemory api when running commands on
remote servers. I'm using libssh2 1.8.0.

The application has been working fine with normal keys for 6 or so years
now but I now need it to work with user certificates.

https://support.ssh.com/manuals/server-admin/64/userauth-cert.html

Our new key generation logic produces a private key, a pub key and a pub
cert.

     -rw------- 1 587204286 587204286  411 Jan 22 14:02 id_ed25519
     -rw-r--r-- 1 587204286 587204286  101 Jan 22 14:02 id_ed25519.pub
     -rw-r--r-- 1 587204286 587204286 1891 Jan 23 17:17 id_ed25519-cert.pub

They work properly with the normal ssh command.

     [Wed Jan 23 17:26:39] root_at_mon034.bur:~/src/event_ssh-src# ssh -i
.ssh/id_ed25519 root_at_cache101.cha "uptime"
      18:52:21 up 85 days, 13:14,  1 user,  load average: 4.64, 4.33, 4.22

Prior to this I've always passed a NULL and 0 for the public key string
and length.

Trying to get the user certificate to work I've been trying to pass it
(id_ed25519-cert.pub's content) in as the public key. I've also tried it
as the private key and a few other combinations.

But keep getting

[Wed Jan 23 18:51:26] root_at_mon034.bur:~/src/event_ssh-src#
build/src/event_ssh --canary="" --cmd=uptime --servers=cache101.cha
--user=root --key=.ssh/id_ed25519 --pub-key=.ssh/id_ed25519-cert.pub
read priv key from .ssh/id_ed25519
read pub key from .ssh/id_ed25519-cert.pub
called libssh2_userauth_publickey_frommemory, username: root, pub key
len: 1891, priv key len: 411
[1/1] cache101.cha      Authentication by public key failed, rc: -19,
The username/public key combination was invalid.

Has anyone gotten authentication with user certificates to work with
libssh2, if so what needs to be done differently compared to just using
a normal private key?

Thanks,
Scott Yeager

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2019-01-23

the libssh2 team