libnetconf2 icon indicating copy to clipboard operation
libnetconf2 copied to clipboard
verified publisher icon CESNET

"Private key" string lookup while importing public-key file

Open rakichinni opened this issue 5 years ago • 6 comments

Hello,

Trying to change the mode of authentication from password to public-key. Have couple of questions related to registering keys and parsing keys. Below commands used to generate 'keypairs and certificate',

ssh-keygen -t rsa -b 4096 -C "[email protected]" openssl req -key key -new -out key.csr openssl x509 -signkey key -in key.csr -req -days 365 -out key.crt

Found an API nc_client_ssh_ch_add_keypair to register public&private keys at the client-side. Documentation says Add an SSH public and private key pair to be used for client authentication. Q1) Is the key-pair to be registered is generated at the client which are to authenticate client?

Q2) Importing public key is looking for OPENSSH_HEADER_BEGIN (-----BEGIN OPENSSH PRIVATE KEY-----) in ssh_pki_import_pubkey_file. Please clarify if there is any specific reason in looking for "PRIVATE KEY" string in public-key file.

rakichinni avatar Jun 29 '20 13:06 rakichinni

Hi, firstly, libnetconf2 does not support SSH keys with certificates, you can either use simple private/public key pair or TLS certificate authentication.

  1. Well, yes, the set key is then presented for SSH publickey authentication for the server.
  2. I am not sure what the function looks for exactly but in any case it is a question for libssh developers, not us. There were no problems with it so I am not sure why did you look at that.

Regards, Michal

michalvasko avatar Jun 30 '20 12:06 michalvasko

Hi Michal,

Thanks a lot for letting us know that support for certificates over ssh is not yet available in the mainline.

Have to go through libssh2 if there are any APIs exposed to configure certificates and etc.

Thanks, Chinni.

rakichinni avatar Jul 01 '20 04:07 rakichinni

Hi, libnetconf2 uses libssh, not libssh2, those are completely different libraries and there is no server support in libssh2.

Regards, Michal

michalvasko avatar Jul 01 '20 11:07 michalvasko

Hi,

Thanks for pointing out, am looking at libssh only.

connect_ssh_session() currently using ssh_pki_import_pubkey_file()->pki_import_cert_buffer() (defined in pki.c) and it has the support for parsing and getting proper pub-key buffer is already available.

One of the libssh email archive says that support for parsing is available. Verified the same in the latest libssh code.

firstly, libnetconf2 does not support SSH keys with certificates, This statement is contradicting as libssh has support for cert. If you get a chance, can you please clarify this once.

Thanks, Chinni

rakichinni avatar Jul 01 '20 12:07 rakichinni

Hi, I said libnetconf2 does not support this, libssh may. And yes, in case the same function can be used and nothing needs to be changed at all then it may work even with certificates but we have never tried it. Also, I am not sure why would you want to use those, simply using SSH keys should be fine and you do not require any additional certificate files.

Regards, Michal

michalvasko avatar Jul 01 '20 13:07 michalvasko

Hi Michal,

I tried with plain key pairs, able to successfully established neconf session.

I am not sure why would you want to use those Few advantages of using certs over plain keys are captured here. Along with these, newly installed devices (having netconf server) can be supported if the key-pair for new device holds a certificate and signed with common CA.

Anyway, the support for certs over ssh is not available in latest version of libnetconf2. I am trying to figure out a way to achieve the same.

Thanks, Chinni

rakichinni avatar Jul 09 '20 13:07 rakichinni