0

I generated an SSH key pair on my machine, and some other party has my public key. Is there a way for me to prove to the party that I have the corresponding private key? Of course this is possible, since it happens under the hood when making an SSH connection using the key. I am asking if existing tools can be used to perform just the SSH authentication, without giving shell access.

Franklin
  • 3
  • 1
    Related, https://unix.stackexchange.com/q/26924/100397, which describes how to convert the SSH keypair into a keypair that you can use to encrypt/decrypt a message. Have your other party encrypt a message with your public key and you should be able to decrypt it with your private key – Chris Davies Jun 12 '21 at 20:50
  • You have already stated it is technically possible to prove that ssh authentication works exactly as it is designed to work. The real issue appears to be to be how you can establish this to the satisfaction of a third party. Really you should be asking this third party what they want/can provide, not us. – symcbean Jun 13 '21 at 00:03
  • @symcbean I meant the question to be more: what tools can the other party and I use for authentication. I might just as easily have asked the question "I am the other party, how can I verify that Franklin has the private key?" – Franklin Jun 13 '21 at 03:22
  • @Franklin That's the concept of a Digital Signature. Briefly, if you sign a message with your private key, a receiving party can use the corresponding public key to verify it. – Haxiel Jun 13 '21 at 03:52
  • Also, you mention not providing shell access after SSH authentication. This could be as simple as setting /bin/nologin as a user's shell. Can you explain your requirement a little more? – Haxiel Jun 13 '21 at 03:54

1 Answers1

1

Yes, this is possible. Recent versions of OpenSSH support data signatures. You can do this like the following:

  1. The other party (the verifier) sends you a random challenge as a file.
  2. You run ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n proof challenge-file (adjusting for key and file name).
  3. You send challenge-file.sig to the verifier and tell them to verify with the namespace proof.
  4. The verifier runs ssh-keygen -Y verify -n proof with appropriate arguments to verify the signature.
bk2204
  • 4,099
  • 7
  • 9