Configure ssh certificate based authentication

Configure Certificate Based SSH User Authentication

 

Support for certificate authentication of users and hosts using the new OpenSSH certificate format was introduced in Red Hat Enterprise Linux 6.5, in the  openssh-5.3p1-94.el6  package. If required, to ensure the latest OpenSSH package is installed, enter the following command as  root :

 

root@server:~# yum install openssh 

 

Setting Up Certificate Authority Infrastructure

  • Generate CA key (cert_ca) for signing user ssh keys with following command :

root@server:~# ssh-keygen -f cert_ca


Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cert_ca.
Your public key has been saved in cert_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e root@server
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|         . .     |
|        . o      |
|         .o..    |
|        S..*..   |
|       . =+.+    |
|        + oo .   |
|       o .E.     |
|     .oo+++o     |
+-----------------+


root@CA:~# ls
cert_ca  cert_ca.pub

 

   Copy the keys to /etc/ssh/ 

root@server:~# cp -pr cert_ca* /etc/ssh/

 

  Add CA public key (cert_ca.pub) as Trusted Key in the ssh server machines 

 

 vi /etc/ssh/sshd_config

(Add the following lines)

 TrustedUserCAKeys /etc/ssh/cert_ca.pub

 

 Restart SSH service

service sshd restart (For centos / rhel)

service ssh restart (For ubuntu / debian)

 

 

 Generate SSH key for user

root@server:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d  root@server 
The key's randomart image is:
+---[RSA 2048]----+
| o. |
| . +.o |
| o o.o= |
| o .+oo. |
| o S B.. |
| = +. |
| oo |
| +o |
| E.. |
+-----------------+

Sign user ssh public key by CA with following command :

root@server:~# ssh-keygen -s cert_ca -I user_username -n username -V +52w id_rsa.pub

 

Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2020-04-17T10:33:00 to 2021-04-16T10:34:42

 

you should sign with user(username) you want to login to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user  " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +52w id_rsa.pub

 
  Copy the the ssh keys to client machine .ssh directory 
 

root@server:~$ scp id_rsa-cert.pub  id_rsa admin@client1:/home/admin/.ssh/

 
 
Once the above is completed user will be able to login to server with ssh certificate authentication without any password.
 
 

admin@client1:~# ssh username@server.com

 

Last login: Fri Apr 17 11:39:17 2020 from client1

 

[username@server~]#

 

 

5 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    How do i restrict commands that a user can execute in ssh in ezsh shell ?
    Viewed 3686 times since Wed, Jun 14, 2017
    What are the outbound ports that needs to be opened for fetching the license?
    Viewed 1814 times since Mon, Aug 21, 2017
    How can i disable MySQL strict mode ?
    Viewed 3951 times since Tue, Feb 12, 2019
    Add a server using ssh key pair in ezeelogin
    Viewed 1730 times since Fri, Mar 22, 2019
    encryption used in ezeelogin use to secure information stored
    Viewed 2576 times since Thu, Jun 15, 2017
    Add custom fields on server add form
    Viewed 1231 times since Wed, Mar 27, 2019
    How do i configure Ezeelogin to authenticate using OpenLdap or Window AD server?
    Viewed 3796 times since Wed, Jan 24, 2018
    How do I change the password management option for all remote servers ?
    Viewed 307 times since Wed, Jul 22, 2020
    encryption type used for securing users ssh logs in ezeelogin
    Viewed 2058 times since Thu, Jun 15, 2017
    How to pass environment variable through jump server?
    Viewed 1732 times since Tue, Jul 17, 2018