Background

This is something that’s been bugging me for a while now, and I’ve been searching far and wide for a solution. It’s not that none exist, here’s Jumpcloud, Keyfactor, ManageEngine, Operas ssh-key-authority, skm and many, many more SSH Key managers with varying amounts of control and authentication; not to speak of PAM tools like PasswordManagerPro, CyberArk, BeyondTrust and Secret Server.

So what’s my problem? Mostly the use of SSH Key Authentication.

For those who aren’t read up on what that is – it’s based on the principle of Public keys and Private keys. A keypair is generated, the public key can be used to encrypt data which the private key can then be used to decrypt, or the private key can sign data which the public key can be used to verify, more or less like certificates.

Compared to certificates though, there are some drawbacks:

  • Maintenance: You need to maintain a list of public keys that are allowed to access each account on each server
  • Security: The user is in control of how well the private key is stored, and whether it is password protected
  • Access control: There are only limited options if you want to limit the time in which a user is allowed to use a key to connect to a server
  • 2FA: PKA can be used together with a password server-side, but that password is unique to the server account and not to the keyholder. If you want to use another method of 2FA, like a TOTP token or smartcard, the options are very limited.

This is why I was very excited the day I found out about SSH Certificates.

OpenSSH Certificates

The principle is basically the same as with any certificate authentication – there is a CA, a Certificate Authority, that is allowed to issue certificates with certain attributes to a user or server.

Based on the type of CA, it can verify the user in a number of different ways depending on configuration, you can combine it with SAML2, Oauth2, OpenID Connect, Azure Authentication, any number of additional verification like TOTP, Hardware Tokens or Smart Cards or even just LDAP/Active Directory.

The principle of SSH Certificate Authentication has some limitations, for example Putty doesn’t really support it at the moment, but with the rise of WSL/WSL2 on the Windows side, or just plain OpenSSH run through cmd or a Powershell prompt, it can still be utilized there.

It can even be combined with PKA, if you want to, where the user keeps the same private key but sends the public key to the CA to be signed, receiving back a certificate that’s valid for a limited period of time, limited to a certain number of named machines or groups of machines and stamped with a serial number which can be traced back from the server via the CA to a specific method of authentication, location information and whatever more information you can think of.

So, what products are there that currently implement SSH Certificate authentication?

Available products

From what I’ve been able to find there’s a couple of them: Teleport, Smallstep (both of them based on open-source software and well-documented), Keyper and Hashicorp Boundary. Here’s a short summary:

Teleport: Open Source-based, marketed as a tool for Privileged Access Management, integrates with existing SSO (only GitHub for open-source) solutions for integrated authentication to SSH or integrated (config-file) user management with support for MFA (WebAuthn/FIDO2, TOTP). Needs a client on the users computer, or you can connect through the web interface. Pricing on demand for enterprise version, you need to contact their sales team. 14-day trial available.

Smallstep: Main product is smallstep ca (Open Source, step-ca) which can issue SSH certificates in exchange for tokens from SSO provider. Also provides Smallstep SSH (Closed Source, based on step-ca) which more seamlessly integrates SSH authentication with OpenID Connect providers (Azure, Octa, G Suite are documented) for SSH Authentication. Needs a client on the users computer. Free version only smallstep-hosted for one user with built-in authentication, for on-premises or external authentication you need the Professional (3$/host/mo) or Run Anywhere ($5/host/mo) subscription.

Keyper: Was recently made available as open-source, integrates only with LDAP at the moment (which limits the range of MFA options you can utilize). No real client available at the moment, issuance of certificates is done manually via a REST API or web interface.

Hashicorp Boundary: Fully open-source, integrates with any OpenID Connect IDP for authentication. Configuration is done mostly by file and partially via a basic administration interface, there is a desktop client available for authentication but no web GUI. Integrates with Hashicorp Vault for issuing certificates and tokens. Needs a client on the users computer, connects to hosts via the Boundary server and not directly.

For my, and some of my customers’, purposes the integration with an OpenID Connect- or SAML-provider and the ability to host the software on-premises is an important feature for this type of product. None of the above products currently have the ability for SAML authentication, and for on-prem hosting and access management to our ~100 containers and servers the cost would be at around 500$/month for Smallstep and yet to be determined for Teleport.

Feature-wise, and cost-wise, Boundary is the best alternative at the moment but does come with some downsides like the server needing a direct connection to all servers (boundary -> server) which could present some security concerns in certain environments. It’s also very “tech-heavy”, meaning it takes more than average knowledge to deploy and use. The Desktop client works well, but it needs to be deployed to all end-users who need to connect via SSH to the servers.

Conclusion

While I’m sure that most users and organizations will find one of these products sufficient, I still wasn’t completely sold. I wanted to understand more about the technology, tinker a bit along the way, learn something new and contribute to the open-source community. But in order to do that – I’d need to dive deeper into the world of OpenSSH Certificates, cryptography and try to revive the small part of math that still hung around in my brain all these years after high-school.

To be continued in Part 2 – Configuration and Usage

One thought to “OpenSSH Certificates: The Quest for SSH Single Sign-On (Part 1)”

Leave a comment

Your email address will not be published.