Certificates support? #1608

brackleian · 2025-06-02T04:44:16Z

brackleian
Jun 2, 2025

Are there any plans to offer user authentication by SSH certificate?

Jun 3, 2025

We use libssh2_userauth_publickey_frommemory to authenticate using [email protected], [email protected], and [email protected] certificates. The trick is to read the accompanying -cert.pub file into memory and supply it as the public key data in the call to libssh2_userauth_publickey_frommemory.

More generally, when encountering LIBSSH2_ERROR_AUTHENTICATION_FAILED, you need to determine why the authentication failed. Logging can help here. You can set the logging level with libssh2_trace(session, IBSSH2_TRACE_KEX | LIBSSH2_TRACE_AUTH | LIBSSH2_TRACE_PUBLICKEY | LIBSSH2_TRACE_ERROR) and then set a logging handler with libssh2_trace_sethandler.

View full answer

willco007 · 2025-06-02T21:44:26Z

willco007
Jun 2, 2025
Maintainer

Libssh2 supports several types of cert auth, what specifically are you looking for?

0 replies

brackleian · 2025-06-02T23:20:24Z

brackleian
Jun 2, 2025
Author

Hi Will, Many thanks for replying.

On Mon, 02 Jun 2025 14:44:47 -0700 Will Cosgrove ***@***.***> wrote: Libssh2 supports several types of cert auth, what specifically are you looking for? #1608 (comment) Message ID: ***@***.***>

I need the sort where a user SSH certificate, i.e. a user's public key signed by a Certificate Authority, can be sent to the SSH server and thus authenticate that user. I tried, on the off chance, calling libssh2_userauth_publickey_frommemory, and supplying the certificate as the public key parameter, but no go, it returned LIBSSH2_ERROR_AUTHENTICATION_FAILED. Is there some way round this? Can't find any mention in the doco. Cheers, Austin.

2 replies

MichaelBuckley Jun 3, 2025
Collaborator

We use libssh2_userauth_publickey_frommemory to authenticate using [email protected], [email protected], and [email protected] certificates. The trick is to read the accompanying -cert.pub file into memory and supply it as the public key data in the call to libssh2_userauth_publickey_frommemory.

More generally, when encountering LIBSSH2_ERROR_AUTHENTICATION_FAILED, you need to determine why the authentication failed. Logging can help here. You can set the logging level with libssh2_trace(session, IBSSH2_TRACE_KEX | LIBSSH2_TRACE_AUTH | LIBSSH2_TRACE_PUBLICKEY | LIBSSH2_TRACE_ERROR) and then set a logging handler with libssh2_trace_sethandler.

Answer selected by brackleian

brackleian Jun 4, 2025
Author

I was doing what you suggest, but I suspect that my (older) version of libssh2 doesn't support all the certificate standards. Anyway, I started from scratch, using ECDSA throughout instead of RSA, and it's going nicely now.

Many thanks again for your help, which has allowed me to fix the problems I was having.

It might be good if the documentation mentioned the use of libssh2_userauth_publickey_frommemory for certificates.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Certificates support? #1608

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Certificates support? #1608

Uh oh!

brackleian Jun 2, 2025

Replies: 2 comments · 2 replies

Uh oh!

willco007 Jun 2, 2025 Maintainer

Uh oh!

brackleian Jun 2, 2025 Author

Uh oh!

MichaelBuckley Jun 3, 2025 Collaborator

Uh oh!

brackleian Jun 4, 2025 Author

brackleian
Jun 2, 2025

Replies: 2 comments 2 replies

willco007
Jun 2, 2025
Maintainer

brackleian
Jun 2, 2025
Author

MichaelBuckley Jun 3, 2025
Collaborator

brackleian Jun 4, 2025
Author