• caglararli@hotmail.com
  • 05386281520

Openpubkey SSH workflow details

Çağlar Arlı      -    30 Views

Openpubkey SSH workflow details

Currently looking into OpenPubKey and more specifically into OpenPubkey SSH:

Terminology:

  • OPK => OpenPubkey
  • OIDC => OpenID Connect
  • OP => OpenID provider

I still have some problems understanding the details. My understanding of the workflow for OPK SSH is the following:

  • OPK client calls OPK SSH client executable, detailed steps below:

    • OPK client generates new keypair for Alice (private/public)
    • OPK client computes nonce (SHA3_256(upk=alice-pubkey, alg=ES256, rz=crypto.Rand()))
    • OPK client initiates OIDC authentication with OP (e.g. google.com) and sends along above computed nonce
    • OP asks for Alice's consent and credentials
    • Alice accepts and successfully authenticates to OP
    • OP sends back ID Token (including the nonce and identity information) signed by OP (google.com private key)

    NOT SURE ABOUT ALL STEPS BELOW

    • OPK Client creates SSH certificate:
      • Puts alice-pubkey in pubkey field
      • Puts ID token and the random value (generated before, part of nonce) in Subject field
      • ...other fields
      • Includes signature (signed SSH certificate fields, signed by alice-privkey) => is this correct?
    • OPK Client connects to OPK SSH Server via SSH by presenting SSH certificate
  • OPK SSH Server receives SSH certificate and forwards it to OPK SSH server executable (specified for AuthorizedKeysCommand):

    • OPK SSH Server extracts alice-pubkey from SSH certificate
    • OPK SSH Server checks SSH certificate signature with alice-pubkey
    • OPK SSH Server gets OP pubkey (publicly available), extracts ID Token and checks its signature (must be signed by OP)
    • OPK SSH Server extracts email from ID Token and checks in OPK SSH config (policies.yaml) if that user should be granted access
      • If the user has access, continue with steps below, otherwise deny access
    • OPK SSH Server computes nonce with random number and alice-pubkey (both extracted from SSH cert)
    • OPK SSH Server compares nonce computed above with nonce from ID Token
      • If they match, user can login

Can you guys please have a look at that workflow and maybe add/correct things if necessary? I have not found a detailed OpenPubkey SSH workflow anywhere, so this could possibly be beneficial in avoiding a lot of future questions regarding the inner workings of OpenPubkey SSH as soon as it gets more popular.

Please also add correct/anything regarding the terminology used.

Thanks in advance :)