SSH Certificate-based Authentication
This shows how to create a Certificate-based SSH auth for users to your hosts
Authentication Process
1. user Joe requests access to user Fred on host "web1"
2. company SSH CA signs Joe's public SSH key and generates a Certificate
3. Joe receives this certificate and uses it to SSH into web1 as Fred (joe> ssh fred@web1)
4. web1 uses a CA public key to authenticate Joe's request as Fred
Section A - basic configuration
1. create a new SSH CA on a secure server
root@ca-server> cd /etc/ssh
root@ca-server> ssh-keygen -C CA -f my_ssh_ca
this will generate 2 keys, priv and pub. Make sure private key is owned by root:root with 600 permission. This key should be extremely secure as it grants access to all your servers.
2. copy the public key to all servers that will need to authenticate certificates
root@ca-server> rsync -azP my_ssh_ca.pub root@web1:/etc/ssh/
3. edit each managed server's sshd_config file to allow certificate auth
root@web1> vi /etc/ssh/sshd_config
add this line and restart sshd service
TrustedUserCAKeys /etc/ssh/my_ssh_ca.pub
4. When Joe needs access as Fred@web1, he copies his public key over to CA server
joe@joe's mac> rsync -azP ~/.ssh/id_rsa.pub ca-server:/etc/ssh/clients/joe.pub
(this part can be automated - see section B)
5. on CA server, sign Joe's public key to allow access as Fred
root@ca-server> cd /etc/ssh/clients
root@ca-server> ssh-keygen -s my_ssh_ca -I joe -n fred -V +1d -z 1 clients/joe.pub
6. copy the newly generated certificate back to Joe's desktop
joe@joes mac> rsync -azP ca-server:/etc/ssh/clients/joe-cert.pub ~/.ssh
7. Joe uses the cert to login as Fred@web1
joe@joes mac> ssh fred@web1 -i ~/.ssh/joe-cert.pub
Joe's cert will expire in 1 day