Cert (#236)

pkittenis · web-flow · commit d9735003fc90 · 2020-10-25T12:12:40.000Z
* Added certificate authentication for ssh client
* Updated parallel and single clients for cert auth. Added embedded openssh certificate authentication support. 
* Added parallel client cert auth test. 
* Updated docs.
* Updated requirements, setup.py
* Updated changelog
diff --git a/.gitignore b/.gitignore
@@ -44,3 +44,6 @@ pypy
 
 # Documentation builds
 doc/_build
+
+tests/unit_test_cert_key-cert.pub
+tests/embedded_server/principals
diff --git a/Changelog.rst b/Changelog.rst
@@ -1,6 +1,14 @@
 Change Log
 ============
 
+2.1.0
++++++
+
+Changes
+-------
+
+* Added certificate authentication support for the ``pssh.clients.ssh`` clients.
+
 2.0.0
 +++++
 
diff --git a/doc/advanced.rst b/doc/advanced.rst
@@ -99,6 +99,25 @@ GSS authentication allows logins using Windows LDAP configured user accounts via
 ``ssh-python`` :py:class:`ParallelSSHClient <pssh.clients.ssh.parallel.ParallelSSHClient>` only.
 
 
+Certificate authentication
+--------------------------
+
+In the ``pssh.clients.ssh`` clients, certificate authentication is supported.
+
+.. code-block:: python
+
+   from pssh.clients.ssh import ParallelSSHClient
+
+   client = ParallelSSHClient(hosts, pkey='id_rsa', cert_file='id_rsa-cert.pub')
+
+
+Where ``id_rsa-cert.pub`` is an RSA signed certificate file for the ``id_rsa`` private key.
+
+Both private key and corresponding signed public certificate file must be provided.
+
+``ssh-python`` :py:mod:`ParallelSSHClient <pssh.clients.ssh>` clients only.
+
+
 Tunnelling
 **********
 
diff --git a/doc/constants.rst b/doc/constants.rst
@@ -0,0 +1,7 @@
+Constants
+==========
+
+.. automodule:: pssh.constants
+    :members:
+    :undoc-members:
+    :member-order: groupwise
diff --git a/pssh/clients/ssh/parallel.py b/pssh/clients/ssh/parallel.py
@@ -30,6 +30,7 @@ class ParallelSSHClient(BaseParallelSSHClient):
     """ssh-python based parallel client."""
 
     def __init__(self, hosts, user=None, password=None, port=22, pkey=None,
+                 cert_file=None,
                  num_retries=DEFAULT_RETRIES, timeout=None, pool_size=100,
                  allow_agent=True, host_config=None, retry_delay=RETRY_DELAY,
                  forward_ssh_agent=False,
@@ -52,6 +53,13 @@ def __init__(self, hosts, user=None, password=None, port=22, pkey=None,
         :param pkey: Private key file path to use. Path must be either absolute
           path or relative to user home directory like ``~/<path>``.
         :type pkey: str
+        :param cert_file: Public key signed certificate file to use for
+          authentication. The corresponding private key must also be provided
+          via ``pkey`` parameter.
+          For example ``pkey='id_rsa',cert_file='id_rsa-cert.pub'`` for RSA
+          signed certificate.
+          Path must be absolute or relative to user home directory.
+        :type cert_file: str
         :param num_retries: (Optional) Number of connection and authentication
           attempts before the client gives up. Defaults to 3.
         :type num_retries: int
@@ -126,6 +134,7 @@ def __init__(self, hosts, user=None, password=None, port=22, pkey=None,
             host_config=host_config, retry_delay=retry_delay,
             identity_auth=identity_auth)
         self.pkey = _validate_pkey_path(pkey)
+        self.cert_file = _validate_pkey_path(cert_file)
         self.forward_ssh_agent = forward_ssh_agent
         self.gssapi_auth = gssapi_auth
         self.gssapi_server_identity = gssapi_server_identity
@@ -243,7 +252,9 @@ def _make_ssh_client(self, host_i, host):
                 host_i, host)
             _client = SSHClient(
                 host, user=_user, password=_password, port=_port,
-                pkey=_pkey, num_retries=self.num_retries,
+                pkey=_pkey,
+                cert_file=self.cert_file,
+                num_retries=self.num_retries,
                 timeout=self.timeout,
                 allow_agent=self.allow_agent, retry_delay=self.retry_delay,
                 gssapi_auth=self.gssapi_auth,
diff --git a/pssh/clients/ssh/single.py b/pssh/clients/ssh/single.py
@@ -25,13 +25,14 @@
 from gevent.select import POLLIN, POLLOUT
 from ssh import options
 from ssh.session import Session, SSH_READ_PENDING, SSH_WRITE_PENDING
-from ssh.key import import_privkey_file
+from ssh.key import import_privkey_file, import_cert_file, copy_cert_to_privkey
 from ssh.exceptions import EOF
 from ssh.error_codes import SSH_AGAIN
 
 from ..base.single import BaseSSHClient
 from ...exceptions import AuthenticationError, SessionError, Timeout
 from ...constants import DEFAULT_RETRIES, RETRY_DELAY
+from ..common import _validate_pkey_path
 
 
 logger = logging.getLogger(__name__)
@@ -43,6 +44,7 @@ class SSHClient(BaseSSHClient):
     def __init__(self, host,
                  user=None, password=None, port=None,
                  pkey=None,
+                 cert_file=None,
                  num_retries=DEFAULT_RETRIES,
                  retry_delay=RETRY_DELAY,
                  allow_agent=True, timeout=None,
@@ -64,6 +66,13 @@ def __init__(self, host,
           be either absolute path or relative to user home directory
           like ``~/<path>``.
         :type pkey: str
+        :param cert_file: Public key signed certificate file to use for
+          authentication. The corresponding private key must also be provided
+          via ``pkey`` parameter.
+          For example ``pkey='id_rsa',cert_file='id_rsa-cert.pub'`` for RSA
+          signed certificate.
+          Path must be absolute or relative to user home directory.
+        :type cert_file: str
         :param num_retries: (Optional) Number of connection and authentication
           attempts before the client gives up. Defaults to 3.
         :type num_retries: int
@@ -96,6 +105,7 @@ def __init__(self, host,
         :raises: :py:class:`pssh.exceptions.PKeyFileError` on errors finding
           provided private key.
         """
+        self.cert_file = _validate_pkey_path(cert_file, host)
         self.gssapi_auth = gssapi_auth
         self.gssapi_server_identity = gssapi_server_identity
         self.gssapi_client_identity = gssapi_client_identity
@@ -194,10 +204,18 @@ def _password_auth(self):
             raise AuthenticationError("Password authentication failed - %s", ex)
 
     def _pkey_auth(self, pkey, password=None):
-        password = b'' if not password else password
         pkey = import_privkey_file(pkey, passphrase=password)
+        if self.cert_file is not None:
+            logger.debug("Certificate file set - trying certificate authentication")
+            self._import_cert_file(pkey)
         self.session.userauth_publickey(pkey)
 
+    def _import_cert_file(self, pkey):
+        cert_key = import_cert_file(self.cert_file)
+        self.session.userauth_try_publickey(cert_key)
+        copy_cert_to_privkey(cert_key, pkey)
+        logger.debug("Imported certificate file %s for pkey %s", self.cert_file, self.pkey)
+
     def open_session(self):
         """Open new channel from session."""
         logger.debug("Opening new channel on %s", self.host)
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
 gevent>=1.1
 ssh2-python>=0.22.0
-ssh-python>=0.7.0
+ssh-python>=0.8.0
diff --git a/setup.py b/setup.py
@@ -37,7 +37,7 @@
                         '*.tests', '*.tests.*')
       ),
       install_requires=[
-          'gevent>=1.1', 'ssh2-python>=0.22.0', 'ssh-python>=0.7.0'],
+          'gevent>=1.1', 'ssh2-python>=0.22.0', 'ssh-python>=0.8.0'],
       classifiers=[
           'Development Status :: 5 - Production/Stable',
           'License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2)',
diff --git a/tests/embedded_server/ca_host_key b/tests/embedded_server/ca_host_key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCphJViWy6xwUQn
+gUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8nc
+H2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9f
+KB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d
+0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6Xo
+ErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5N
+gZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZ
+knBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpw
+rd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2sCAwEAAQKCAYEA
+i3Ld0INh7igmgLkAtnoH5lMKEhvkxCazgY+UDL/O8MuX0jyzBfSxbNoZhP+SNqzQ
+sjOinebMFNZ6//F3BrEJsVx0jB+rnVbhxEE4cjzbO44A7kM0BgEUWPBkTw/XjHmo
+loasu+NmYipjusus64tgd982VAouajmnFipGizJxN0a+WUJKVEl4VN1YzT6iILnz
+Ag6KSa+vKnecBXimXfWBTp/lwIXs9qgv1SCZlaUXAAaHWAPc2IN8Sv6nfdcKpT8C
+fDE9du146QvFlfvzxvyz5c5OwIlKHc/6+LSOcp+OJTE+8mrXqkYJGLuD8pdPVYQm
+NfpzHm7LKUNwS2v+lS9hviEwIGkZo4ZepFB4ij9wllngBY4j9jGPlakwUu0D9Vyf
+r+pHUrKfRVi8xqyZT9S20Z+3KkTqAVeblPWCxBGvyAl2JU/sY2LelfZo+P89uKqU
+12+uEha5WIyCgMyBuYS0LUgzkBLfQAsBj1RLcqvG3WLV1sSXL6q2U5OvdC3tTevB
+AoHBANjwpGuxibDk/UnKbVtOxJbpUJkM8BiZnV8NuPXvi/qHjfwrTK/UnRwC5ZCZ
+eetm5vWCxClspVewidR3HWa1kxTVcgSO2J3PlAgpKR8phdkFO68+heLExYamYUgu
+IYP3C0Kygcj9HLWueJtecq/ogUNYmJKCcI381iTbt2iqth/35nbe8l7Xa+XBfvhS
+ytVohlO3QZX/ubtosgNEwuxGDQj9YxEejt5t0f8CHVETvN+xzbWjnIpn3+KJLKRy
+DdHs3QKBwQDICiB8wImZFNnrDGpycng78P34CUrxaEmCN1/SiN2GJ5LYVS++K2Pc
+I/9a0x4TSGvDNCNt4RE8ebwWcTe0U8rEw99kUKNlI4ZvpVJvv0vH8IabGC3p0gBf
+OlGhoIYOqvDzkL58P48IbP43wfOGJqenkGx8SXWEGUnYTzSEoFJHv3RHE9b86q0b
+cm3NyyxBWPM9DBQ2e594ouVNKeLo6HT3j5ZW5ypFjWhCnIoyENabPAHWTYKUnu/f
+W7NN1W+5aOcCgcABQSsCQG2Wa0yXr6cAPy1d3g2MRQniaokBcrfeHDuIAF6u1aVE
+4wrhjZa8RlbxKJAvXUk7IBi4sBmr8+BkpqoqFa3qHtVb3EZz4aEOQBQ5FBGrSsZF
+cHPf+nhXjYS+GaCkCxo7ClOvLUofQ+WP5N1SgWGofz6dY5ftcKPX5BzXhHx9tX5b
+VA2Yr4zHbNslbsxQEaA8eNUfI1TcNfqWmTUcFzMKd03GNYZgXifDP0T5WjLhWQff
+uQgPbFGoxcwUqbUCgcBomYsFULRinJmao8Jhl+OxDEHw2gMbGnodohD0COc1CCpr
+/pdZbFzqNtSGzJAUazEWQIQqJ58YrVshrRAAtjP4EagVT2kxMJNSe/MQRco9gVMR
+dGJFuq7BHMCksEiJEO+vnMdONvn24O9Jfpx1UG8oWoevscXGTmbjuf7vPtnndIA7
+zm8Djz73dC1gh9XbUcTW7iL/nkL0FNGsOLPTMAJBlQ564KOk/N1Av5Qvu8hMIeOg
+CKW4SyeI9u1aTLoADI8CgcEA0zy4laBzjAlN6Uc7RTTiqd259R7vqlc95wPkLDS0
+jg+mfpNHyNdtAhHnFnKVYgu4qqshcjX4BwW1m15/lHZ3VTY71U0TYHGeD1F2WY7R
+ptMFo8iiUrY1qAS79dFutY5MGHD9htw11j52GgBz0dAB1Z9MtXblS+3QeS0m79g8
+srLhNUQPKrl61h2aT2nv2mROYZJ5lkDcByGcwSpXAAUXrJ7WQtcaQ5awq/Uqwfac
+niIHADTER1prOuXylm1pWZdk
+-----END PRIVATE KEY-----
diff --git a/tests/embedded_server/ca_host_key-cert.pub b/tests/embedded_server/ca_host_key-cert.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgu84sipb+xoLb4xY/PnjXE6HGJlJKz+VdqW+Z9oMFMv4AAAADAQABAAABgQCphJViWy6xwUQngUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8ncH2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9fKB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6XoErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5NgZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZknBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpwrd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2sAAAAAAAAAAAAAAAIAAAAMdGVzdF9jYV9ob3N0AAAAAAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCphJViWy6xwUQngUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8ncH2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9fKB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6XoErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5NgZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZknBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpwrd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2sAAAGUAAAADHJzYS1zaGEyLTI1NgAAAYBv+fXgU7e+0OW/mBZbG6jlMtEALbF2IxjRe2KbmRMb5V7XVqVHVt1qAsl+aNtGntARVRMLnOn8Nasoquy3N+7voaMrQAADpAx+Ig3o8cNR1Ym86TUX7cuUTaSkWm7gOrfUILzIwJnyTJAV74NUac1LGXHL1w3EiLtkga5I+dsAm7Ba+8XohkK350D2lwjq8msvPsrPdT5IHoTG6XWO4QCJBYiu4FTV8Xye2XjFP60pH0F3RkrIFk9l3ftyJPm/2ptWgWJOM9TJimTcSy3bnt6DjLfUZJmePIXyyETEhBGQkRXyZ6VrJHd+biFdEz1X87BEVQcYoBBL5glnWgPAqsKzI70Z9pmS9SX7qA795Xp6zMJq0Ov/H7mUvZSvhnIip6NF9z4KOAy7mmF9dZR8UABE4upZpT2k0xIO+x+aJChkg8EwYX3z4v4VC+dzCIfUGEIfbrvYnQOh/VvG6A04lnALaJ/iRleXjmrbW2EJCDlOtZMTHqmvc2KLzponpJHyyeM= zefrer@kirin
diff --git a/tests/embedded_server/ca_host_key.pub b/tests/embedded_server/ca_host_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCphJViWy6xwUQngUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8ncH2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9fKB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6XoErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5NgZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZknBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpwrd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2s= zefrer@kirin
diff --git a/tests/embedded_server/ca_user_key b/tests/embedded_server/ca_user_key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQClYv7851Sl96qx
+b2VV8rbhqhpSmLD+VUvKjj4aMjFgunw8HA9BOUu5kuPLo7LWzZN1brTv0JB9xbcC
+vmNdzhHKEBsP4F3xp20vCz2EKivjGIJkFiPyn/xAZvlfA0rvoXyzwCekiFJqhrEs
+SpiHDk4jL9CImStcOhm/ZLXTjZL2aa+A2DSE4JFAXvpvuTbw68JSujCPWsNNyqyd
+QNXpWkHoqI/Lo/dtXX1jYoD4zmwEqN++VwNIdANazQpABBkcVQfwVtcHvYptA9Pq
+4HhrTPA59Pv63yPb7/fL7F2CfKCW+sb+yRGY6U81vXVG+jRMhrcPTY6SIXqW43P0
+qhGW6NWswn1k5sLvpYHdRTyDdC1uwBVVQJ9kO/QP4SnXklfMVzuFIxt5BhM4dXwl
+PDuJcJG1rXUfXIAWtZJd/LCcyp+xKsJxgjTIitDevNRxzfkRkijryzUgfZHh2755
+7ztoubl3NuLKf+cWcdLzBkeGpNNHCE+tqVueuBqiUqPttE6LSx0CAwEAAQKCAYBc
+yU2FVcOH2YtKQNT5g1JXCLf73u5twizjVypASCiru/Q3RQbJ8PsrAd4LQav0FyHD
+oHiiksB9z479WxMkbZhNZPvJzHboPKZk3kmE/KPipL2CqWlBlcBP4XXGeHJyPodX
+0VZsWI7kdOyxjKhGHSB5XToBaO2KsI4Bct8P8T2iQWjVQHc2lUbodmDKjX7la196
+Sjs0MhegbTSqhNV+NcUEYo1KEpOeJ/VQ7NKuxCCV/KiKgQa2f1/icWZuw93Sp2EF
+f22BQlcepJKaq0SnGKFXvZm5FvTmmViQtUYk28DaAgO5L4th6ejHoCXAqVp857kj
+ral7DOehdATybohX5+bK62GQxwFiehBGnFh0Z1uOOe6SHaxsDhPCi46DTbViXP64
+7X1jIXxXE+6dfvMrbGFoirbclBrMskZK98kZnWZ6GDtDQkowOtgP2ZEjWBUnKPeI
+gegfhH0CFTGGpLw7MjJS+xk8ht5bXp0Gflawve0RPPJm9cs2DOrJDIEKQNczjYEC
+gcEA2xeP5YRp7JLG/TzQU9+z/BAGhMZyqqBBCOL8DLf1oit5/aFAdN6gQ9YCrrw9
+5BFDj687MVwmF6YWMOPivd7hv/SWJchsHSWs4I2VAuAqo8hU4Ri5IoDZjRpllh0p
+IB8HVTt+hwdnGF6/mO3Pm6GxBlJ2iLSeDMgiFFPLrjT8uh+p+y3O32Kydb/T4u2v
+nGxRzNKJ21rQQwxVQ0CegYlF6j9ljyKJTR5/4dZDUV05syC1zmcs2Kz3qX6ickE6
+4c8nAoHBAME/XkzkEco4HaTMNhyR8F/9kXzjH0Yn1o13u0pO/QTU4vvlnOIqsUYP
+roXd9+yQs88ckCR1U0h16dzQsOtrGo/E538AzYKLgourLxKD26bybUO49Dm/j5bV
+WlIxuV3jTv5biasmx8379ejlz6wVo7bYqMI/q+Rn2QYp+t5GUXqBek3L8wnfpnfL
+FmoMrUdDe21xiPLVd9O13/8MnZJsg45u04PGV4hJzANn9Z73oQwl9dzAKZESQq4G
+9RHT/Fk+GwKBwCoZR/QxUm078vKcKefD94C6z5XZ0BTLQFPl0crb2l4z/nfm8UzD
+roX6bH+I+leFnbbRVA1zCHrI1kDEuUAEwNoytFtEPMoJAEQR0I1B58+a4fxy1Lg1
+jBgZ92U16z4Z2D3fdbuah4veQPCw2ZCtLCfr1o0EL86C8lF3nI637cwR44a5UaQJ
+AgOwPZXAWFs1US6LUiQNOjF4ADYxB4QajY2qauhrGXjxIF+T3VGYGUs7QNQNbUeh
+TOGLzMkpkZfsRwKBwBnBt3DqKRDZ3+GaMlAmh3JT2rNZlk6Ees1KOxVRZ9ngAgzu
+8rUWWaBr8Kf5CNVoB/8/4FprpNkQlkYPLrWCBf1Jkk1ULxAKRjEVdOWz22/p+fQ/
+z5Vu2dWRxEMWS42fAWVXkAbW2WS0A3eyQba+/54cTInvcJq12LBAoiZEGxIH9eQu
+ncsgGxD2aZti6ymHbgkNS+KJ3znBkQRuiwX8HqC6VsjGg94vb9i4X317peR3nsh4
+eFHUrDyDwuBIb+b5JwKBwERnucizMWzGZvNyTYmkO54u8lJPdGTEevzn7gjBc14x
+yYAR+Uu1+eeSw295jFpvAi5Nr8dwtQqboRUc/69dLYCR73uxCw4PDKJ0bpmfPAJU
+ythKjZ2b8KS7gxndUvl18C9l2jBHqnQvhB/pz4EDwyWsTXmiA15YtuPgandYhJMu
++NmCtMMMeXC690Igw6yhs+s3pUjWW+fKn+fdkx5uH+5gvYd+c5iJEWGdPogIXlCx
+vP43QJnRZlNs4a4d41ifvA==
+-----END PRIVATE KEY-----
diff --git a/tests/embedded_server/ca_user_key.pub b/tests/embedded_server/ca_user_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClYv7851Sl96qxb2VV8rbhqhpSmLD+VUvKjj4aMjFgunw8HA9BOUu5kuPLo7LWzZN1brTv0JB9xbcCvmNdzhHKEBsP4F3xp20vCz2EKivjGIJkFiPyn/xAZvlfA0rvoXyzwCekiFJqhrEsSpiHDk4jL9CImStcOhm/ZLXTjZL2aa+A2DSE4JFAXvpvuTbw68JSujCPWsNNyqydQNXpWkHoqI/Lo/dtXX1jYoD4zmwEqN++VwNIdANazQpABBkcVQfwVtcHvYptA9Pq4HhrTPA59Pv63yPb7/fL7F2CfKCW+sb+yRGY6U81vXVG+jRMhrcPTY6SIXqW43P0qhGW6NWswn1k5sLvpYHdRTyDdC1uwBVVQJ9kO/QP4SnXklfMVzuFIxt5BhM4dXwlPDuJcJG1rXUfXIAWtZJd/LCcyp+xKsJxgjTIitDevNRxzfkRkijryzUgfZHh27557ztoubl3NuLKf+cWcdLzBkeGpNNHCE+tqVueuBqiUqPttE6LSx0= zefrer@kirin
diff --git a/tests/embedded_server/openssh.py b/tests/embedded_server/openssh.py
@@ -20,6 +20,7 @@
 import random
 import string
 import logging
+import pwd
 from threading import Thread
 from subprocess import Popen
 from time import sleep
@@ -36,9 +37,12 @@
 PDIR_NAME = os.path.dirname(DIR_NAME)
 PPDIR_NAME = os.path.dirname(PDIR_NAME)
 SERVER_KEY = os.path.abspath(os.path.sep.join([DIR_NAME, 'rsa.key']))
+CA_HOST_KEY = os.path.abspath(os.path.sep.join([DIR_NAME, 'ca_host_key']))
 SSHD_CONFIG_TMPL = os.path.abspath(os.path.sep.join(
     [DIR_NAME, 'sshd_config.tmpl']))
 SSHD_CONFIG = os.path.abspath(os.path.sep.join([DIR_NAME, 'sshd_config']))
+PRINCIPALS_TMPL = os.path.abspath(os.path.sep.join([DIR_NAME, 'principals.tmpl']))
+PRINCIPALS = os.path.abspath(os.path.sep.join([DIR_NAME, 'principals']))
 
 
 class OpenSSHServer(object):
@@ -56,11 +60,13 @@ def __init__(self, listen_ip='127.0.0.1', port=2222):
     def _fix_masks(self):
         _mask = int('0600') if version_info <= (2,) else 0o600
         dir_mask = int('0755') if version_info <= (2,) else 0o755
-        os.chmod(SERVER_KEY, _mask)
+        for _file in [SERVER_KEY, CA_HOST_KEY]:
+            os.chmod(_file, _mask)
         for _dir in [DIR_NAME, PDIR_NAME, PPDIR_NAME]:
             os.chmod(_dir, dir_mask)
 
     def make_config(self):
+        user = pwd.getpwuid(os.geteuid()).pw_name
         with open(SSHD_CONFIG_TMPL) as fh:
             tmpl = fh.read()
         template = Template(tmpl)
@@ -70,6 +76,12 @@ def make_config(self):
                                      random_server=self.random_server,
             ))
             fh.write(os.linesep)
+        with open(PRINCIPALS_TMPL) as fh:
+            _princ_tmpl = fh.read()
+        princ_tmpl = Template(_princ_tmpl)
+        with open(PRINCIPALS, 'w') as fh:
+            fh.write(princ_tmpl.render(user=user))
+            fh.write(os.linesep)
 
     def start_server(self):
         cmd = ['/usr/sbin/sshd', '-D', '-p', str(self.port),
diff --git a/tests/embedded_server/principals.tmpl b/tests/embedded_server/principals.tmpl
@@ -0,0 +1 @@
+{{user}}
diff --git a/tests/embedded_server/sshd_config.tmpl b/tests/embedded_server/sshd_config.tmpl
@@ -3,6 +3,10 @@ UsePAM no
 HostbasedAuthentication no
 IgnoreUserKnownHosts yes
 ListenAddress {{listen_ip}}
+HostKey {{parent_dir}}/ca_host_key
+HostCertificate {{parent_dir}}/ca_host_key-cert.pub
+TrustedUserCAKeys {{parent_dir}}/ca_user_key.pub
+AuthorizedPrincipalsFile {{parent_dir}}/principals
 
 AcceptEnv LANG LC_*
 Subsystem sftp internal-sftp
diff --git a/tests/ssh/base_ssh_case.py b/tests/ssh/base_ssh_case.py
@@ -19,6 +19,7 @@
 import pwd
 import os
 import logging
+import subprocess
 from sys import version_info
 
 from ..embedded_server.openssh import OpenSSHServer
@@ -39,14 +40,28 @@ def setup_root_logger():
 
 PKEY_FILENAME = os.path.sep.join([os.path.dirname(__file__), '..', 'client_pkey'])
 PUB_FILE = "%s.pub" % (PKEY_FILENAME,)
+USER_CERT_PRIV_KEY = os.path.sep.join([os.path.dirname(__file__), '..', 'unit_test_cert_key'])
+USER_CERT_PUB_KEY = "%s.pub" % (USER_CERT_PRIV_KEY,)
+USER_CERT_FILE = "%s-cert.pub" % (USER_CERT_PRIV_KEY,)
+CA_USER_KEY = os.path.sep.join([os.path.dirname(__file__), '..', 'embedded_server', 'ca_user_key'])
+USER = pwd.getpwuid(os.geteuid()).pw_name
+
+
+def sign_cert():
+    cmd = [
+        'ssh-keygen', '-s', CA_USER_KEY, '-n', USER, '-I', 'tests', USER_CERT_PUB_KEY,
+    ]
+    subprocess.check_call(cmd)
 
 
 class SSHTestCase(unittest.TestCase):
 
     @classmethod
     def setUpClass(cls):
         _mask = int('0600') if version_info <= (2,) else 0o600
-        os.chmod(PKEY_FILENAME, _mask)
+        for _file in [PKEY_FILENAME, USER_CERT_PRIV_KEY, CA_USER_KEY]:
+            os.chmod(_file, _mask)
+        sign_cert()
         cls.host = '127.0.0.1'
         cls.port = 2322
         cls.server = OpenSSHServer(listen_ip=cls.host, port=cls.port)
@@ -55,7 +70,9 @@ def setUpClass(cls):
         cls.resp = u'me'
         cls.user_key = PKEY_FILENAME
         cls.user_pub_key = PUB_FILE
-        cls.user = pwd.getpwuid(os.geteuid()).pw_name
+        cls.cert_pkey = USER_CERT_PRIV_KEY
+        cls.cert_file = USER_CERT_FILE
+        cls.user = USER
         cls.client = SSHClient(cls.host, port=cls.port,
                                pkey=PKEY_FILENAME,
                                num_retries=1)
diff --git a/tests/ssh/test_parallel_client.py b/tests/ssh/test_parallel_client.py
diff --git a/tests/unit_test_cert_key b/tests/unit_test_cert_key
diff --git a/tests/unit_test_cert_key.pub b/tests/unit_test_cert_key.pub

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgu84sipb+xoLb4xY/PnjXE6HGJlJKz+VdqW+Z9oMFMv4AAAADAQABAAABgQCphJViWy6xwUQngUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8ncH2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9fKB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6XoErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5NgZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZknBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpwrd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2sAAAAAAAAAAAAAAAIAAAAMdGVzdF9jYV9ob3N0AAAAAAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCphJViWy6xwUQngUeHU2AmHaHj/kkDSI4dHQLoWhYwEQ85CowwDaJ7NhZBr6bpA0OTYBgXcfkQw8ncH2k6HybfeT9KXLogTS/hKwZIz1NY5bvVBHSXI8uzSX5OlBujPUxk99kc1Vm3OA9fKB0iCdufgmdXo+3c3JBG5EqO4H21u8zxwfHmVpigkERGxMYkOMWEjAF7i7kptG9d0Gtijw8GWYUmO7R2xkBWsLaZY3llOdCCH6EDYerfHdUOnkwvm0yhy4UqSt8Cu6XoErhdH4l+uF4Pbz+rWgmQ7GQlpSCgZqrIAyyQyTQOn+heFkGr407lFl+PkClXHK5NgZ90EgXSA+dRNl9Qjw3BO5tUN9jWALEURfT4CQemtSe+1JNMbxsA7+byW1YeLbVZknBMieRhMoerXRvG9ENglkYeFzKeKKAj0pS5FzzegXP4QxK+XAkX1Mw3GTRGkrpwrd8b6FVWf/yFzCFkm//rCQiQ933om57Q3QQriJtABfBH0L9bg2sAAAGUAAAADHJzYS1zaGEyLTI1NgAAAYBv+fXgU7e+0OW/mBZbG6jlMtEALbF2IxjRe2KbmRMb5V7XVqVHVt1qAsl+aNtGntARVRMLnOn8Nasoquy3N+7voaMrQAADpAx+Ig3o8cNR1Ym86TUX7cuUTaSkWm7gOrfUILzIwJnyTJAV74NUac1LGXHL1w3EiLtkga5I+dsAm7Ba+8XohkK350D2lwjq8msvPsrPdT5IHoTG6XWO4QCJBYiu4FTV8Xye2XjFP60pH0F3RkrIFk9l3ftyJPm/2ptWgWJOM9TJimTcSy3bnt6DjLfUZJmePIXyyETEhBGQkRXyZ6VrJHd+biFdEz1X87BEVQcYoBBL5glnWgPAqsKzI70Z9pmS9SX7qA795Xp6zMJq0Ov/H7mUvZSvhnIip6NF9z4KOAy7mmF9dZR8UABE4upZpT2k0xIO+x+aJChkg8EwYX3z4v4VC+dzCIfUGEIfbrvYnQOh/VvG6A04lnALaJ/iRleXjmrbW2EJCDlOtZMTHqmvc2KLzponpJHyyeM= zefrer@kirin