SSH Certificate-based Authentication

This shows how to create a Certificate-based SSH auth for users to your hosts

Authentication Process

1. user Joe requests access to user Fred on host "web1"

2. company SSH CA signs Joe's public SSH key and generates a Certificate

3. Joe receives this certificate and uses it to SSH into web1 as Fred (joe> ssh fred@web1)

4. web1 uses a CA public key to authenticate Joe's request as Fred

Section A - basic configuration

1. create a new SSH CA on a secure server

root@ca-server> cd /etc/ssh

root@ca-server> ssh-keygen -C CA -f my_ssh_ca

this will generate 2 keys, priv and pub. Make sure private key is owned by root:root with 600 permission. This key should be extremely secure as it grants access to all your servers.

2. copy the public key to all servers that will need to authenticate certificates

root@ca-server> rsync -azP my_ssh_ca.pub root@web1:/etc/ssh/

3. edit each managed server's sshd_config file to allow certificate auth

root@web1> vi /etc/ssh/sshd_config

add this line and restart sshd service

TrustedUserCAKeys /etc/ssh/my_ssh_ca.pub

4. When Joe needs access as Fred@web1, he copies his public key over to CA server

joe@joe's mac> rsync -azP ~/.ssh/id_rsa.pub ca-server:/etc/ssh/clients/joe.pub

(this part can be automated - see section B)

5. on CA server, sign Joe's public key to allow access as Fred

root@ca-server> cd /etc/ssh/clients

root@ca-server> ssh-keygen -s my_ssh_ca -I joe -n fred -V +1d -z 1 clients/joe.pub

6. copy the newly generated certificate back to Joe's desktop

joe@joes mac> rsync -azP ca-server:/etc/ssh/clients/joe-cert.pub ~/.ssh

7. Joe uses the cert to login as Fred@web1

joe@joes mac> ssh fred@web1 -i ~/.ssh/joe-cert.pub

Joe's cert will expire in 1 day