Start a new topic
Implemented

OpenSSH SSH certificate

Hi Royal Apps,


Would it be possible to support OpenSSH certificate as an authentication method to login?


In the latest PuTTY version 0.78, there is support for this method (see screenshot).


One of the major security benefits of using signed cert is its validity period.


Thanks.





supporting OpenSSH certificates as an authentication method is possible and provides several security benefits. PuTTY version 0.78 and later supports this feature.

Hi,


the next beta release of Royal TS V7 will have this feature on board. Stay tuned for the next update...


Regards,
Stefan


2 people like this

Now that the version 7 is available how we can configure a tunnel to use an SSH certificate?

Hi,

How is this feature for Royal TSX V6?

Hi,


as far as I know, OpenSSH certificates is currently only supported by PuTTY. The integration on MacOS is based on iTerm2 and from what I see, there's no support for that. I also got feedback from Rebex that they don't have plans to implement OpenSSH certificates in their products. Here's what Rebex wrote about the OpenSSH certificate situation:

We [Rebex] support public key authentication, and we also support X.509 certificate authentication. What we don’t support are the so-called “OpenSSH certificates”, which we believe is a horrible idea that should never have materialized. Basically, instead of implementing RFC 6187 and adding support for the ubiquitous X.509 certificates, OpenSSH developers instead decided to create their own proprietary certificate format called “OpenSSH certificates”, which are incompatible with the existing X.509 certificate infrastructure. We have no plans to add support for these, and we really prefer if they got deprecated in favor of X.509 certificates as soon as possible. X.509 certificates work fine, and OpenSSH’s proprietary alternative doesn’t really offer any benefits – it just makes life harder for everyone due to the need to maintain two kinds of certificate infrastructure.


Regards,
Stefan

OK. I see. Thanks for the reply.

Is there any chance or possibility to use putty as the terminal plugin in Royal TSX on macOS? or other way to do ssh certificate authentication?

We have both Royal TS/TSX installed. We are unable to consider the certificate authentication for ssh login as an option since this feature is not the same for TS/TSX.

Sorry if above message is not clear.

"certificate authentication for ssh login" means "OpenSSH certificate authentication", because OpenSSH doesn't support X.509 certificate.

Hi there,


Royal TSX just uses the pre-installed OpenSSH installation of macOS. So anything that works by opening Terminal.app and entering "ssh" should work in Royal TSX as well.


While I never tried this myself, you should be able to convert your X.509 certificate to an OpenSSH compatible format and use that to login to your servers.


Here's one of many articles available on the internet that shows the process: https://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/


Hope that helps!


cheers,

Felix

Hi, Thank you for the info.

According to Stefan's info and the plugin settings of ssh connection in Royal TSX, it uses iTerm2 to provide ssh connection function.

As far as I know, to support the OpenSSH certificate authentication, the client should be able to provide the user's certificate to OpenSSH server and use private key to respond the server's challenge. The user's certificate is OpenSSH's format and different from X.509 certificate.

We are considering to deploy certificate authentication to our ssh servers, but the support and format for certificate on both server and client is a big issue. So since Royal TS now supports OpenSSH certificate, we hope to find a way to let Royal TSX use it, too. Otherwise we can't consider this as an option for our security policy because we have both installed on our site.

Hi Jengjie,


the comment by Stefan might've been a bit misleading. It's true that Royal TSX's Terminal plugin is based on iTerm. However, iTerm just acts as the terminal's "Shell" or UI basically.

Underneath, Royal TSX just uses OpenSSH that comes pre-installed on macOS and passes arguments that match the SSH configuration you have in Royal TSX to it.

So anything you can do by opening Terminal.app and entering "ssh ..." should work in Royal TSX as well.


For instance, to provide an OpenSSH certificate, you open the properties of your SSH connection in Royal TSX and go to "Credentials".

Here, first enter the username you want to connect with. Then, switch to the "Private Key File" tab and enter the path where your OpenSSH certificate (and matching "-cert.pub") file is located.


I quickly tried this here and it did work fine.

If you have issues with this approach, you might want to add "-vvvv" to the "Additional SSH Options" text field in the "Advanced - SSH" section of your terminal connection's properties to get debug output.


Hope that helps!


cheers,

Felix

Hi Jengjie,


I now also implemented a separate property for macOS to specify the path to the OpenSSH certificate. This will show up in the next minor update and be available in the "SSH - Security" options of your terminal connection's properties.


Like previously mentioned, if you specify your private key file with a path and have the certificate ("-cert.pub" file) saved next to it there's nothing you need to do. This should work out of the box even in the current release.

If you however have your private key file embedded into the document, this will currently not work on macOS because the embedded key file is temporarily written to disk but since only the private key and not the certificate is embedded, authentication will fail for connections that require the certificate.


In the next update, we will copy the certificate, if specified to the same temporary location if you have both, an embedded private key file and a path to a certificate specified.


Hope this helps!


cheers,

Felix

Hi, Felix,

It's great to hear that and would like to try this setting when it's available.

When I saw the information you provided in the previous post, we were going to plan building a lab to try it. Now the better news is to know this will be more convenient in future update.

Thank you!

Hi Jengjie,


you can actually try it today by referencing your private key file via path instead of embedding.

As long as you have a "-cert.pub" file next to it, the authentication should work just fine.


The update will then enable you to also use this when embedding private key files.


cheers,

Felix

Login or Signup to post a comment