Skip to content

Add ecdsa cert-based auth via SSH Agent #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add ecdsa cert-based auth via SSH Agent #1

wants to merge 2 commits into from
+70 −9

Conversation

@murkvin
Copy link

@murkvin murkvin commented May 29, 2025
edited
Loading

Context

Users of "Open Remote - SSH" have requested support for certificate-based authentication. This feature request is currently tracked in jeanp413/open-remote-ssh#95.

Currently "Open Remote - SSH" fails to authenticate to hosts that require certificate-based authentication. This is, primarily, because ssh2 does not implement certificate-based authentication.

This issue is called out across multiple Github Issues and Pull Requests upstream, including, but not limited to:

  1. Feature Request: support certificate authentication.  mscdex/ssh2#551
  2. SSH client with authentication by signed certificates does not work with SSH_AGENT mscdex/ssh2#910
  3. How to connect with a key signed by a certificate authority? mscdex/ssh2#858
  4. Client: Allow explicitely specifying a publicKey mscdex/ssh2#808

Approach

Meta: This PR is (mostly) a clone of the one currently sitting upstream in mscdex#1440. I have cloned this here since "Open Remote - SSH" is built on top of this ssh2 fork.

This code change adds additional key parsing logic that, when other methods fail, will attempt to parse the key as a certificate. During the authentication flow, these certificate key types are then mapped to the corresponding signature type.

On top of the original cert types, I added several non vendor-extension cert types called out in the internet draft: https://www.ietf.org/archive/id/draft-miller-ssh-cert-01.html.

Importantly, this only works via an SSH agent (more on that later). This lightweight implementation serves to unblock folks who otherwise would be unable to connect to their hosts. In order to make use of certificates only available on disk, more significant changes would need to be made to the library to prevent public keys from being overwritten by the library-generated keys (depending on what is available on the machine).

NB: This CR is targeted toward addressing common ecdsa keys.

User Experience

In order to connect to hosts requiring certificate-based authentication, users will need to add their certificate to their running ssh agent by running, for example ssh-add. If the certificate expires, then they will need to re-add the certificate to their running agent.

Testing

I tested these changes by linking them as a dependency to "Open Remote - SSH" and connecting to a host that requires (ECDSA) certificate-based authentication.

Follow-up steps

  • A version bump and new release of Open Remote - SSH
  • Deployment out to Open - VSX

Relevant links:

@murkvin murkvin closed this May 29, 2025
@murkvin murkvin reopened this May 29, 2025
@murkvin murkvin mentioned this pull request May 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@murkvin @xRemaLx