CA Authority (openssh like)

[Gatos]

Hey

I’m far from experienced with certifications, ssh, ssl, but I’m willing to learn and that’s what’s important here 🙂
So don’t mind the rookie mistakes, or stupid questions, I’m really exited to learn and implement stuff I’ve learned.
I’ve downloaded the Enterprise version of NoMachine for Windows for testing, I do have some specific ideas that I want to try.
Systems I’m using are:
Hosts: Windows 10 Pro ( 5 under KVM, two with Enterprise version of NoMachine)
Clients/CA:Opensuse Leap 15 (two of them free version of NoMachine)
Open-ssh 7.9p1

——————————————————————————————————————————————–
Here’s my question/problem:
I’m trying to implement something like ssh certification and have it working with NoMachine in the same way it works with oppenssh.
(key based authentication via a cert-authority)

I’ve already got the generic self generated keys to work with the authorized.crt files, that thing works just fine, but it requires that I add every single keys from a client to this file, and as far as I know there’s no way to add “timers” to those keys.

I want the client to send in their keys for signing to my server that is acting as a CA, and set up the Nomachine “server” to trust the keys that have been signed by my CA. This would make it so that I can add a specific time/user to the key. I’ve tried to look through the NoMachine forums and I haven’t been able to really find anything that could point me to the right direction. (the only thing I can find about certification is for webclients)

What I’ve been able to do so far with NoMachine (nx protocol) is:
1. get the basic authized.crt file to accept random generated keys from any user/client.
well at least I can use the option key based authentication
2. move the “authorized.crt” file to a remote server with read only permissions and add the link to the server.cf file.
This allows me to have some sort of control, and help the client keep a peace of mind when it comes to access to their computer.
I’m able to just ask the client to send in the keys that they want signed to the server and I’ll add it to their own users/machine authorized.crt file, this requires me to keep a list of every user and keep track of what machines can access what files.

What I’ve been able to do with just ssh as proof of concept for CA based authentication:
1. generate a CA.pem, add the CA.pub to remote servers, sign random user keys and have them log in on my ssh servers by just sending a request.
The keys are signed with a validity time of 1 minute (or more).
All that I have to do is add the CA.pub to the sshd_config file and authorized_keys and I’m good to go, anybody can ask for permission to log in to the server with x user and the key will be valid for x time.
What this would allow me to do is to create one single CA per machine, and sign user request without editing any files.

The issue is that when I try to add something like:
cert-authority ssh-rsa AAAAB3
to authorized.crt I just get the error:
NXSERVER ERROR! Authentication with ‘NX-private-key’ from host ‘420.69.1337.404’ failed. Error is ‘Public key not recognized’.
with just ssh-rsa BBBBA1 in authorized.crt I get:

NXSERVER NXMsg: Received response ‘username=user&publicKey=ssh-rsa+BBBA1’
NXSERVER request: username=user&publicKey=ssh-rsa+BBBA1
NXSERVER NXOpen FD#5 – file \\nx.ca\nx_keys\(vm_name)\\\user\\authorized.crt with mode…
NXSERVER Client public key recognized.

No where in the log does it tell me what key it tried when I got the cert-authority key.
I know that on the sshd in linux I landed on the problem that I had a @ in front of the cert-authority, and that said something like “@cert not recognized” but it still gave me the signature of the key so I knew what public key it got, here I’m just getting “Public key not recognized”
which could be from an invalid key, instead of a “file format” that it didn’t expect.

The info I’m finding in the NoMachine documentation and forums is that I can add keys from ssh-keygen (or nxkeygen) to the authorized.crt or server.crt file (I didn’t try to mess with it), but I do not see any way to
1. sign from a trusted key (other then the key that is on the “nx server”)
2. limit the time the key is valid for
3. add centralized authentication to multiple Windows based NX servers from one server.

I’ve only been messing with the NX protocol, so maybe there’s something in the SSH protocol, but I’ve already used two days to debug and try things out, so I though I could ask the forums for any pointers, if I’m doing something wrong, or misunderstand how things work? I’d love to hear about it before I waste a week on this 😀

One reason I’d like to add a “ssh like” CA control to my Windows NoMachine servers is because I could keep an automatic database with serial number, name and address on each keys that are being signed by just using Openssl+Openssh.
I already made a script that does just that, allow users to make a request to the servers by sending their public rsa key generated from ssh-keygen, I generate a ssl cert on the server, make an internal request, sign it, Openssl log the name and rsa key with  a serial numbers linked, then I sign the rsa key with the ssl serial number and send it back.
That way I can show a link between the request and the used key on the server.
Openssl updates and keeps tracks of all the authorized keys and serial numbers, it will also detect if the key has already been requested but hasn’t experienced yet, that way you can’t just steal the key make a request from another computer and make the server sign it again.

Well at least that’s the Theory 😀

[Gatos]

well I made some progress
I tried adding “expiry-time=”20200206″ ssh-rsa Ablablabla”
that didn’t work, but I figured could just add all the keys as a comment with that line and look for the signature in a scrip.
That seems to be an easy way to filter through the keys.
I tried using the SSH option in NoMachine but it’s not supporting any certificates generated by open-ssh, and it’s not supporting a lot of the ssh commands I’m used to.

I’m really at a lost here, am I missing something or is it something fundamental to the NoMachine protocol(software) that I didn’t understand?

[Cato]

Hello Gatos,

NoMachine currently doesn’t support authentication based on signed certificates for NX protocol. Support of this feature will be added in the future with implementation of this FR:

https://www.nomachine.com/FR02L02810

You can use SSH protocol instead. On Windows this will additionally require from you installation and configuration of Windows OpenSSH server. It seems that currently it’s only available on Windows 10.

Instructions for OpenSSH server and client installation and configuration:

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration

Configuring CA certificates is almost exactly the same as on Linux, just remember to use ed25519 key types for authentication, those are supported on Windows.

On client side you need to enable usage of native SSH client by NoMachine Player:

https://www.nomachine.com/AR09L00813

Choose SSH protocol with private key or authentication agent when creating connection in NoMachine Player. Authentication with private key paired with signed certificate should work fine.

[Gatos]

Hey Cato

Thank you for responding, I’m sorry for the late reply, I needed a small break from this 🙂

I’ve configured OpenSSH for windows 10, and I’m able to login via standard ssh with a signed key that expires after x time.
The key is ssh-ed25519 (with the -m PEM option added when generating the key as per (AR03Q01020)
but then I try to use the key with NoMachine I get the error:

“userauth_pubkey: unsupported public key algorithm: ssh-ed25519

userauth_pubkey: unsupported public key algorithm: ssh-ed25519-cert-v01@openssh.com”
(this points me to (FR05Q03832) it doesn’t seem like NoMachine is compatible with ed25519)
the RSA key give me:
Accepted publickey for (user)  (port) ssh2

I’m able to add a key with ssh-rsa to the authorized_key file in the OpenSSH server config (not the NoMachine).
but I’m not able to login with the signed key.
if I un-comment the rsa key I’m no longer able to login to NoMachine via, but I’m still able to SSH into windows with the signed key.
———————————————————————-
Here is what I’ve tried in the authorized_keys file in C:\user\(user)\.ssh (I’m not using the default admin config):

ssh-rsa AAAA…

#cert-authority ssh-rsa AAA… 

This allows me to login to NoMachine with standard rsa key, but not the ssh server with the signed ed25519 key

#ssh-rsa AAA…

cert-authority ssh-rsa AAA…

This allows me to login with the singed key on the ssh server, but not NoMachine.

—————————————————————————————————–
I’ve tried signing the standard rsa key and use it to login to the ssh server on windows 10, but that doesn’t work, so it seems ed25519 is required for windows.
I’m wondering if there’s a compatibility issue? I tried DSA but that didn’t work (:
Any pointer to where I should be looking to would be greatly appreciated as it seems like I’m getting closer to solving this issue 🙂

[Gatos]

Now that I’ve tried and though about it, it doesn’t seem like Windows and NoMachine are going to play nice with each other.
(FR05Q03832)  obviously ed25519 isn’t supported, NoMachine seems to be more focused on Linux based machines.

That’s a shame, either I allow a user or don’t, that’s basically the same result as allowing users to login through a rsa key under the NX protocol under ANY OS, and kinda bypassing the benefits of a CA, they could just add a Windows user and add their key, while the Linux user gets an error because his key to “write” wasn’t signed.

I tried switching the PID file in the config, and the the nxsshd file (point to sshd.exe)…
is there a way to use the standard SSH server (not nxclient)? because I’m able to login on the machine with a signed cert, but not via NoMachine because of “ed25519 not supported

 

[Cato]

Hello Gatos,

Please, make sure to enable use of ‘native’ SSH client in player.cfg as described here:

https://www.nomachine.com/AR09L00813

You also need to provide port on which OpenSSH Windows server is listening during connection creation (not nxsshd). When both of above conditions are met, NoMachine connection works the same as if you used ‘ssh -i <path_to_private_key> <user_name>@<server>’ command from client’s terminal.

We checked two authentication scenarios: one in which CA’s public key is stored in file specified by TrustedCAKeys setting from sshd_config and one in which it’s stored as cert-authority entry in user’s authorized_keys file in <user_home>/.ssh directory. Both of these scenarios worked fine for ed25519 keys. If your user is member of Administrators group, his authorized_keys file should reside in path specified by AuthorizedKeysFile under ‘Match Group administrators’ section of sshd_config.

[Author]

Posts