Configure ssh certificate based authentication

Configure Certificate Based SSH User Authentication

 

Support for certificate authentication of users and hosts using the new OpenSSH certificate format was introduced in Red Hat Enterprise Linux 6.5, in the  openssh-5.3p1-94.el6  package. If required, to ensure the latest OpenSSH package is installed, enter the following command as  root :

 

root@server:~# yum install openssh 

 

Setting Up Certificate Authority Infrastructure

  • Generate CA key (cert_ca) for signing user ssh keys with following command :

root@server:~# ssh-keygen -f cert_ca


Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cert_ca.
Your public key has been saved in cert_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e root@server
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|         . .     |
|        . o      |
|         .o..    |
|        S..*..   |
|       . =+.+    |
|        + oo .   |
|       o .E.     |
|     .oo+++o     |
+-----------------+


root@CA:~# ls
cert_ca  cert_ca.pub

 

   Copy the keys to /etc/ssh/ 

root@server:~# cp -pr cert_ca* /etc/ssh/

 

  Add CA public key (cert_ca.pub) as Trusted Key in the ssh server machines 

 

 vi /etc/ssh/sshd_config

(Add the following lines)

 TrustedUserCAKeys /etc/ssh/cert_ca.pub

 

 Restart SSH service

service sshd restart (For centos / rhel)

service ssh restart (For ubuntu / debian)

 

 

 Generate SSH key for user

root@server:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d  root@server 
The key's randomart image is:
+---[RSA 2048]----+
| o. |
| . +.o |
| o o.o= |
| o .+oo. |
| o S B.. |
| = +. |
| oo |
| +o |
| E.. |
+-----------------+

Sign user ssh public key by CA with following command :

root@server:~# ssh-keygen -s cert_ca -I user_username -n username -V +52w id_rsa.pub

 

Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2020-04-17T10:33:00 to 2021-04-16T10:34:42

 

you should sign with user(username) you want to login to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user  " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +52w id_rsa.pub

 
  Copy the the ssh keys to client machine .ssh directory 
 

root@server:~$ scp id_rsa-cert.pub  id_rsa admin@client1:/home/admin/.ssh/

 
 
Once the above is completed user will be able to login to server with ssh certificate authentication without any password.
 
 

admin@client1:~# ssh username@server.com

 

Last login: Fri Apr 17 11:39:17 2020 from client1

 

[username@server~]#

 

 

0 (0)
Article Rating (No Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    How to copy files from my desktop to my ssh gateway user account so that it can be transferred to other remote servers behind the ssh gateway?
    Viewed 35690 times since Wed, Oct 11, 2017
    How do i configure Ezeelogin to authenticate using OpenLdap or Window AD server?
    Viewed 3089 times since Wed, Jan 24, 2018
    Set SSH User Expiry
    Viewed 1756 times since Thu, Sep 20, 2018
    record ssh sessions
    Viewed 5324 times since Fri, May 4, 2018
    Installing Jump server or Bastion host on a linux host in Google or AWS instance ?
    Viewed 20096 times since Thu, Sep 21, 2017
    How to search using IP or other fields instead of host name in jump server ssh interface or gui?
    Viewed 1742 times since Fri, May 4, 2018
    Configure four eyes authorization
    Viewed 2466 times since Fri, Dec 1, 2017
    Webportals unavailable for user
    Viewed 3450 times since Fri, Dec 8, 2017
    add amazon ec2 in jump server or aws jumpbox
    Viewed 3714 times since Tue, May 8, 2018
    How do i restrict commands that a user can execute in ssh in ezsh shell ?
    Viewed 3284 times since Wed, Jun 14, 2017