Unable to connect with SSH CA user cert

[ebanDev]

Subject of the issue

I use step ssh, I generated a client key pair signed with my CA and when I try to connect to my SSH Server it asks me for a password

Your environment

• OS - Rasbian 10
• Version - Smallstep CLI/0.17.1 (linux/arm)

Steps to reproduce

1. Create a CA
2. Add this line to /etc/ssh/sshd_config TrustedUserCAKeys /etc/step-ca/certs/ssh_user_ca_key.pub
3. Generate user key pair with command : step ssh certificate --ca-url ca.local.XXXXXXX:4343 -f pc01.local.XXXXXXX id_ecdsa
4. Try to connect to the ssh server with command ssh XXXXXXXXXX@XXXXXX -o IdentitiesOnly=yes -i id_ecdsa -v
5. See that it can't connect to the server using the user cert

debug1: Offering public key: id_ecdsa ECDSA-CERT SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: id_ecdsa ECDSA SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
XXXXXX@XXXXXXXX's password: 

Expected behaviour

It should connect me directly

Actual behaviour

It asks me for a password

Additional context

SSH Host key signing works fine

╰─$ step ssh inspect id_ecdsa-cert.pub                                              
id_ecdsa-cert.pub:
        Type: [email protected] user certificate
        Public key: ECDSA-CERT SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8
        Signing CA: ECDSA SHA256:tj+0wHsJjKQOCPCLeCAH+3viP9BC2r4FSX7QMsI9LSs
        Key ID: "XXXXXXXX"
        Serial: 9868405590557681044
        Valid: from 2021-10-27T11:32:14 to 2021-10-28T03:33:14
        Principals: 
                XXXXXXX
        Critical Options: (none)
        Extensions: 
                permit-pty 
                permit-user-rc 
                permit-X11-forwarding 
                permit-agent-forwarding 
                permit-port-forwarding 

XXXXX@server:/etc/step-ca# cat /etc/step-ca/certs/ssh_user_ca_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDx35ivbd3Rud6lIKk22spSAtpDiWGdTG2FCB/BvB3ibrPCYhf4IOH1ub/IR2fJKRpnB2O2Gcp0ra6CjQudN+2Q=

Thanks ! ;)

[J-Hunter-Hawke]

Hi @ebanDev, could you please post the log from running SSH with the highest verbosity (-vvv)?

Also, are you trying to SSH to <principal_on_user_certificate>@<hostname_as_principal_on_host_certificate>? I've found some issues in the past if you don't follow this convention.

Edit: Clarified and corrected which principals to use.

[ebanDev]

debug1: Reading configuration data /home/eban/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host pi01.local.XXXXXXX originally pi01.local.XXXXXXX
debug2: match not found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/eban/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host pi01.local.XXXXXXX originally pi01.local.XXXXXXX
debug2: match found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug2: resolving "pi01.local.XXXXXXX" port 22
debug1: Connecting to pi01.local.XXXXXXX [10.0.0.3] port 22.
debug1: Connection established.
debug1: identity file id_ecdsa type 2
debug1: identity file id_ecdsa-cert type 6
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1
debug1: compat_banner: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH* compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to pi01.local.XXXXXXX:22 as 'XXXXXXX'
debug1: load_hostkeys: fopen /home/eban/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ecdsa-sha2-nistp256,[email protected]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: [email protected] SHA256:Yb10APlEYzmdG+T+1hptnJHfAKtpuecBPofRED+Mpp0, serial 8601972458286820247 ID "pi01.local.XXXXXXX" CA ecdsa-sha2-nistp256 SHA256:bSFNEITsanXHjp2RoEZciWQYLbdwngVje2ZT8h32Jvk valid from 2021-10-27T11:02:41 to 2021-11-26T10:03:41
debug2: Server host certificate hostname: pi01.local.XXXXXXX
debug1: load_hostkeys: fopen /home/eban/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'pi01.local.XXXXXXX' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /home/eban/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: id_ecdsa ECDSA-CERT SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug1: Will attempt key: id_ecdsa ECDSA SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: id_ecdsa ECDSA-CERT SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: id_ecdsa ECDSA SHA256:KIqcBIrh3ST6ulKstUhqw79Q/svGpTLdszZUw70IE+8 explicit agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Here is the complete log ! ;)

[ebanDev]

Also, are you trying to SSH to <principal_on_host_certificate>@<Key_ID_on_host_certificate>? I've found some issues in the past if you don't follow this convention.

What is the principal ? 🤔

[J-Hunter-Hawke]

Oops, misspoke on that one; please see my corrections to that comment. You can see the principal listed when running the step ssh certificate inspect ... command as you did above. In this context, the principal on the user certificate would be the name of the user you are trying to log in as on the host device. For example, if you were to SSH in to the ubuntu user, you would specify it as the principal when provisioning your user certificate: step ssh certificate <key_id> <key_file> --principal="ubuntu".

On the host side, you'll want to specify its hostname or IP address as the principal on its SSH host certificate. OpenSSH will check this value against your SSH call.

My colleague @tashian does a great job explaining a bunch of these intricacies in a discussion I opened up while at my previous job. I'd encourage you to read through my struggle-bussing there 😃 : #527

[ebanDev]

Okay, it works ! 🥳 I changed the principal for the username and it works ! 🥳 Thank you so much !

[J-Hunter-Hawke]

Glad to hear it!