Using SSH certificates is an efficient way to enhance the management and security of SSH authentication. Unlike traditional SSH keys, certificates enable centralized validation and simplify access management.
SSH certificate-based authentication relies on a Certificate Authority (CA) to sign users' SSH public keys. Gateways (servers) trust the CA and authenticate users based on their signed keys.
Benefits include:
This guide provides a step-by-step approach to generating and using SSH certificates to authenticate users accessing gateways. It assumes a working knowledge of SSH and access to a Linux-based system with OpenSSH installed.
Ensure OpenSSH is Installed:
ssh -V
Verify that OpenSSH version 5.4 or later is installed. Update if necessary.
Log in to a secure system that will act as the Certificate Authority (CA).
Generate user key pair:
root@365870ffa28f:~# mkdir -p ~/ca && cd ~/ca
root@365870ffa28f:~/ca# ssh-keygen -t ed25519 -f ca_user_key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca_user_key.
Your public key has been saved in ca_user_key.pub.
The key fingerprint is:
SHA256:K/fFq5EVsIsysBm0K6DyFdMgog9j5zAuRzKwo6M3jhA root@365870ffa28f
The key's randomart image is:
+--[ED25519 256]--+
|o . o . |
|oo o + o |
|X+..* . . . |
|=X= O . . . |
|E.+.= o S . . |
|+= o o . + |
|o + . o o o |
|.+ . o . o . |
|. . o.. |
+----[SHA256]-----+
You can use key type
ed25519if you want more security, or any other key type supported by the gateway (rsa >= 2048orecdsa)
This generates two files:
This private key will be used to sign all your user key. Be sure to keep it in a safe and secure place.
The generation part automatically generate the public part in ca_user_key.pub file. You need to send this file to the gateway into folder /etc/ssh/trusted_user_ca_keys.d/, either:
echo "ssh-ed25519 AAAA....lCxDQ" > /etc/ssh/trusted_user_ca_keys.d/my_ca_user_key.pub
scp ca_user_key.pub gateway:/etc/ssh/trusted_user_ca_keys.d/my_ca_user_key.pub
Users generate their own SSH key pair (if they don’t already have one):
user@mypc:~/$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_ed25519.
Your public key has been saved in ~/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:QAJN2PA7kAfeDosblMTahz5waOy3hCu8u9EdlWA/HLU
The key's randomart image is:
+--[ED25519 256]--+
|..+Boo.... |
|.oo=+o+ o . |
|o==.+ .* E |
|=++*..... |
|=+o.+. S |
| =+o... |
|o.+o.. |
|.o.. |
|.++ |
+----[SHA256]-----+
The user public key needs to be sent to the PKI server, in order to be signed.
Here, for example, we use copy/paste. But any other way would works
root@365870ffa28f:~# echo "ssh-ed25519 AAA....h+832" > id_ed25519-user.pub
The CA administrator signs the user's public key using the CA user private key (given by the -s option).
root@365870ffa28f:~# ssh-keygen -s ca_user_key -I user_identity -n root -V -1w:+1w id_ed25519-user.pub
Enter passphrase:
Signed user key id_ed25519-user-cert.pub: id "user_identity" serial 0 for root valid from 2023-02-20T09:31:53 to 2023-03-06T09:31:53
-I user_identity: Identifier for the certificate.-s ca_user_key: CA user private key-n username: User principal name.-V -1w:+1w: Validity period (e.g., +/-7 days).Please visit ssh-keygen manual to see all options for ssh-keygen command
This creates id_ed25519-user-cert.pub, the signed certificate to send back to the user.
Provide the signed certificate (id_ed25519-user-cert.pub) to the user. Place it in the same directory as their private key:
mv id_ed25519-user-cert.pub ~/.ssh/
Ensure the following permissions:
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519-user-cert.pub
In order to connect, you must specify the certificate to use using the -o option, and provide the identity file (private key) to use using the -i option
user@mypc:~$ ssh -o CertificateFile=~/.ssh/id_ed25519-user-cert.pub -i ~/.ssh/id_ed25519 root@klk-wifc-f9afb4
Last login: Mon Feb 27 09:57:03 2023 from 54.238.145.49
root@klk-wifc-0700B4:~#
You can use ssh configuration file in ~/.ssh/config to make these parameter automatic:
Host klk-*
User root
CertificateFile ~/.ssh/id_ed25519-user-cert.pub