This is done by editing the /etc/ssh/sshd_config file and specifying the TrustedUserCAKeys directive: TrustedUserCAKeys /path/to/ca.pub You'll need to copy over the public key of the CA certificate to the target server. The last thing to do is to tell the server to trust your CA certificate. As the manual indicates, the IdentityFile directive must also be specified along with it to identify the corresponding private key. The contents of the certificate can be verified by running ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub.Īt this point, you're free to edit your configuration file (~/.ssh/config) and include the CertificateFile directive to point to the newly generated certificate. The -s option specifies the path to the CA private key, the -I option specifies an identifier that is logged at the server-side, and the -n option specifies the principal (username). This will generate a new file named ~/.ssh/id_rsa-cert.pub which contains the SSH certificate. Next, we'll sign our user key with the CA's private key (following the example from the manual): ssh-keygen -s path/to/ca -I -n myuser ~/.ssh/id_rsa.pub This results in the two files being generated - ca (private key) and ca.pub (public key). The -f ca option simply specifies the output filename as 'ca'. A CA key is a regular private-public key pair, so let's generate one as usual: ssh-keygen -t rsa -f ca The first thing we'll need here is a CA key. The host certificate will be output to /path/to/host_key-cert.pub. $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub The resultant certificate will be placed inĪ host certificate requires the -h option: $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub UserĬertificates authenticate users to servers, whereas host certificatesĪuthenticate server hosts to users. Ssh-keygen supports two types of certificates: user and host. Much simpler, format to the X.509 certificates used in ssl(8). Note that OpenSSH certificates are a different, and Clients or servers may then trust only the CA keyĪnd verify its signature on a certificate rather than trusting many Host) names and a set of options that are signed by a CertificationĪuthority (CA) key. Public key, some identity information, zero or more principal (user or Ssh-keygen supports signing of keys to produce certificates that mayīe used for user or host authentication. The manual page for ssh-keygen has some relevant information: Now, since the question is about how a client could connect to a server using an SSH certificate, let's look at that approach. This topic is explained by these QAs at the Security SE: What is the difference between SSL & SSH?, Converting keys between OpenSSL and OpenSSH. Because this is a change in the authentication model, implementing certificates requires changes on both the client and the server side.Īlso, do note that the certificates used by SSL (the ones generated by openssl) are different from the ones used by SSH. The user or the host can then trust a single CA instead of having to trust each individual user/host key. The same CA can be used to sign multiple user or host keys. With certificates, each user's (or host's) public key is signed by another key, known as the certificate authority (CA). The certificate model of authentication used by SSH is a variation of the public key authentication method.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |