Configure ssh certificate based authentication
Configure Certificate Based SSH User Authentication
Support for certificate authentication of users and hosts using the new OpenSSH certificate format was introduced in Red Hat Enterprise Linux 6.5, in the openssh-5.3p1-94.el6 package. If required, to ensure the latest OpenSSH package is installed, enter the following command as root
:
root@server:~# yum install openssh
Setting Up Certificate Authority Infrastructure
- Generate CA key (cert_ca) for signing user ssh keys with following command :
root@server:~# ssh-keygen -f cert_ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cert_ca.
Your public key has been saved in cert_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e root@server
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . |
| . o |
| .o.. |
| S..*.. |
| . =+.+ |
| + oo . |
| o .E. |
| .oo+++o |
+-----------------+
root@CA:~# ls
cert_ca cert_ca.pub
Copy the keys to /etc/ssh/
root@server:~# cp -pr cert_ca* /etc/ssh/
Add CA public key (cert_ca.pub) as Trusted Key in the ssh server machines
vi /etc/ssh/sshd_config
(Add the following lines)
TrustedUserCAKeys /etc/ssh/cert_ca.pub
Restart SSH service
service sshd restart (For centos / rhel)
service ssh restart (For ubuntu / debian)
Generate SSH key for user
root@server:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d root@server
The key's randomart image is:
+---[RSA 2048]----+
| o. |
| . +.o |
| o o.o= |
| o .+oo. |
| o S B.. |
| = +. |
| oo |
| +o |
| E.. |
+-----------------+
Sign user ssh public key by CA with following command :
root@server:~# ssh-keygen -s cert_ca -I user_username -n username -V +52w id_rsa.pub
Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2020-04-17T10:33:00 to 2021-04-16T10:34:42
you should sign with user(username) you want to login to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +52w id_rsa.pub
root@server:~$ scp id_rsa-cert.pub id_rsa admin@client1:/home/admin/.ssh/
admin@client1:~# ssh username@server.com
Last login: Fri Apr 17 11:39:17 2020 from client1
[username@server~]#