9

OpenSSH supports signing user keys with a certificate authority. From man ssh-keygen:

ssh-keygen supports signing of keys to produce certificates that may
be used for user or host authentication.  Certificates consist of a
public key, some identity information, zero or more principal (user
or host) names and a set of options that are signed by a Certification
Authority (CA) key

In a pure Linux environment SSH certificates are quite easy to use. No problem for the server part (TrustedUserCAKeys) and on the client side ssh -i does the right job.

I need to be able to use OpenSSH certificates from a Windows SSH client (the project is to deliver short-living SSH certificates to sysadmins Windows workstations after they have authenticated themselves using a company specific auth scheme).

Cygwin is not an option (killing a fly with a hammer, and probably not acceptable by Windows admins), PuTTY does not recognize OpenSSH certificates.

What would be other options?

Stephane Martin
  • 227
  • 1
  • 2
  • 9
  • Have you tried using `ssh-keygen -e`? Not sure it works with certificates. – apraetor Nov 11 '16 at 20:01
  • 1
    Same problem here, beause I want to implement exactly the same as you. Do you mind writing a short note what you ended up with? – Daniel May 26 '18 at 09:48
  • As a side note, support for certificate-based auth is on the PuTTY wish list here: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-openssh-certkeys.html – Steve Bonds Jan 07 '22 at 16:37

3 Answers3

2

OpenSSH is now supported as "optional feature" in windows 10. Allegedly, OpenSSH 7.6p1 should be available at the usual place: Control Panel, selecting Programs | Programs and Features | Turn Windows features on or off. You can also access this wizard directly by typing "optionalFeatures" from the Windows Start prompt.

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

https://www.bleepingcomputer.com/news/microsoft/heres-how-to-enable-the-built-in-windows-10-openssh-client/

Hope they don't kick out certificate authentication, as they apparently did with the OpenSSH server "feature"

user185953
  • 45
  • 6
  • Can you clarify about OpenSSH server? The Microsoft docs have instructions for [installing `OpenSSH.Server~~~~0.0.1.0`](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell#install-openssh-for-windows) – Carl Walsh May 21 '23 at 14:29
  • @CarlWalsh I don't know. But https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview says it all comes from https://github.com/PowerShell/openssh-portable, so I expect it is the same version. – user185953 Jun 09 '23 at 07:59
1

If you can't end up figuring out a way to use the certs with PuTTY. There are lighter-weight ways to get the actual OpenSSH client on a Windows box than Cygwin. The most likely candidate that comes to mind is the Windows distribution of Git.

There's a standard installable version or a portable version that you can just unzip and run. It's basically bash, git, and ssh. Git Bash

Slightly heavier, but at least native to the OS is the Windows Subsystem for Linux which could work if you have Windows 10 anniversary update or later.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
-1

From here: https://burnz.wordpress.com/2007/12/14/ssh-convert-openssh-to-ssh2-and-vise-versa/

You can use ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub to convert keys from OpenSSH to SSH2. Do this server-side before distributing the keys to clients?

At the end of the day you're generating transient .pub keys for the client to use, signed by the certificate, so they just need to be in a format PuTTY will accept.

That's assuming your workflow is something like: https://blog.habets.se/2011/07/OpenSSH-certificates

apraetor
  • 99
  • 2
  • Server is planned to authorize not through a client's public key, but through a signature. How can server receive the raw bytes of the signature from putty? – kubanczyk Nov 11 '16 at 20:21