Skip to Content

Configure ssh certificate based authentication

Configure Certificate Based SSH User Authentication

 

Support for certificate authentication of users and hosts using the new OpenSSH certificate format was introduced in Red Hat Enterprise Linux 6.5, in the  openssh-5.3p1-94.el6  package. If required, to ensure the latest OpenSSH package is installed, enter the following command as  root :

 

[email protected]:~# yum install openssh 

 

Setting Up Certificate Authority Infrastructure

  • Generate CA key (cert_ca) for signing user ssh keys with following command :

[email protected]:~# ssh-keygen -f cert_ca


Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in cert_ca.
Your public key has been saved in cert_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e [email protected]
The key’s randomart image is:
+---[RSA 2048]----+
|                 |
|         . .     |
|        . o      |
|         .o..    |
|        S..*..   |
|       . =+.+    |
|        + oo .   |
|       o .E.     |
|     .oo+++o     |
+-----------------+


[email protected]:~# ls
cert_ca  cert_ca.pub

 

   Copy the keys to /etc/ssh/ 

[email protected]:~# cp -pr cert_ca* /etc/ssh/

 

  Add CA public key (cert_ca.pub) as Trusted Key in the ssh server machines 

 

 vi /etc/ssh/sshd_config

(Add the following lines)

 TrustedUserCAKeys /etc/ssh/cert_ca.pub

 

 Restart SSH service

service sshd restart (For centos / rhel)

service ssh restart (For ubuntu / debian)

 

 

 Generate SSH key for user

[email protected]:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d  [email protected] 
The key’s randomart image is:
+---[RSA 2048]----+
| o. |
| . +.o |
| o o.o= |
| o .+oo. |
| o S B.. |
| = +. |
| oo |
| +o |
| E.. |
+-----------------+

Sign user ssh public key by CA with following command :

[email protected]:~# ssh-keygen -s cert_ca -I user_username -n username -V +52w id_rsa.pub

 

Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2020-04-17T10:33:00 to 2021-04-16T10:34:42

 

you should sign with user(username) you want to login to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user  " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +52w id_rsa.pub

 
  Copy the the ssh keys to client machine .ssh directory 
 

[email protected]:~$ scp id_rsa-cert.pub  id_rsa admin@client1:/home/admin/.ssh/

 
 
Once the above is completed user will be able to login to server with ssh certificate authentication without any password.
 
 

[email protected]:~# ssh [email protected]

 

Last login: Fri Apr 17 11:39:17 2020 from client1

 

[[email protected]~]#