SSH Authentication with x.509 v3 Certificates

SSH provides public key and password authentication methods. With the public key method, the possession of a private key serves as authentication.

The Secure Shell Authentication (SSH) method works by sending a signature created with a private key of the user. The server must check that the key is a valid authenticator for the user and must check that the signature is valid. If both are valid, the authentication request must be accepted. Otherwise, it must be rejected.

In SLX-OS, this feature provides an infrastructure that identifies x.509 v3 certificates and can use the certificates for SSH authentication.

The SSH authentication feature supports the x509v3-ssh-rsa and x509v3-rsa20048-sha256 public key algorithms for use in the x.509 v3 certificate-based SSH authentication from x509v3-ssh-dss, x509v3-ssh-rsa,and x509v3-rsa2048-sha256, and the family of algorithms in x509v3-ecdsa-sha2-*. In these algorithms, a public key is stored in an x.509 v3 certificate. This certificate, plus a chain of certificates leading to a trusted certificate authority and optional messages indicating the revocation status of the certificates, is sent as the public key data in the Secure Shell protocol.

The x.509 v3-based public key algorithm (x509v3-ssh-dss, x509v3-ssh-rsa, and x509v3-ecdsa-sha2-*) is performed in the analogous method for the corresponding non-x.509 v3-based public key algorithms (ssh-dss, ssh-rsa, and ecdsa-sha2-*).

The x509v3-rsa2048-sha256 public key algorithm provides a mechanism similar to ssh-rsa, but with a different hash function and additional key size constraints.

Table 1. Related commands
Command Function
certutil sshx509v3 Configures the SSH user certificate Distinguished Name (DN).
crypto ca authenticate Identifies the root CA certificate, which is used to sign the Certificate Signing Request (CSR) to generate the server certificate. The ssh-x509v3 option indicates that the certificate is used for SSH-x509v3 authentication.
crypto ca enroll Enrolls the trust point by generating the Certificate Signing Request (CSR) and exporting it to the remote certificate server. The ssh-x509v3 option indicates that the certificate is used for SSH-x509v3 authentication.
crypto ca import Imports the Identity Certificate for security configuration. The ssh-x509v3 option indicates that the certificate is used for SSH-x509v3 authentication.
crypto import Imports the Identity Certificate for security configuration. The ssh-x509v3 option defines the certification protocol.
ssh server algorithm Configures the SSH server host key algorithm to be used for x.509 v3 certificate-based SSH authentication (server authentication).
ssh server certificate Configures the SSH server certificate profile and enters SSH server certificate profile configuration mode.
trustpoint sign Configures the trust point to the server certificate profile that is used to sign the server certificate.