Bug 7641 - Support OpenSSH certificates
Summary: Support OpenSSH certificates
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on: 7642 7643
Blocks: 7895 7896
  Show dependency treegraph
 
Reported: 2021-02-10 12:34 CET by Pierre Ossman
Modified: 2023-07-14 09:23 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2021-02-10 12:34:24 CET
Modern versions of OpenSSH has gotten support for using certificates in places where keys can be used, i.e. host keys and authentication keys. These are not X.509 certificates though, but something specific to OpenSSH. They work in a similar manner though with a certificate authority signing certificates and other parties trusting those certificates since they can verify the signature.

ThinLinc has no explicit support for these certificates, treating them like any other key type. This mostly works, except for the ability to trust host keys based on the signature and avoid having to explicitly check each host key.

To fix this we would need to add support for configuring the certificate authority keys and checking signatures instead of the entire host key.
Comment 2 Pierre Ossman cendio 2021-02-10 12:57:28 CET
If I'm reading OpenSSH's code correctly, our current behaviour is also incorrect. A certificate should not be individually stored. If there is no CA for the certificate, then the key should be converted to a non-certificate equivalent and that should be used instead.
Comment 3 Pierre Ossman cendio 2021-02-10 14:16:07 CET
Moving the immediate problem to bug 7643. This bug is about doing things properly.
Comment 4 Niko Lehto cendio 2021-09-02 12:36:52 CEST
Worth noting that there's multiple certificate related errors that can be raised by OpenSSH, we should handle these whenever we implement support for certificates. Otherwice the user will only get generic "You are not authorized to connect to this server" messages in those cases, which isn't that helpful.

Note You need to log in before you can comment on or make changes to this bug.