Configure ssh certificate based authentication
Configure Certificate-Based SSH User Authentication
Support for certificate authentication of users and hosts using the new OpenSSH certificate format was introduced in Red Hat Enterprise Linux 6.5, in the openssh-5.3p1-94.el6 package. If required, to ensure the latest OpenSSH package is installed, enter the following command as root :
[email protected]:~# yum install openssh
1. Setting Up Certificate Authority Infrastructure
- Generate the CA key (cert_ca) for signing user ssh keys with the following command :
[email protected]:~# ssh-keygen -f cert_ca
Generating public/private RSA key pair.
Enter passphrase (empty for no passphrase):
Enter the same passphrase again:
Your identification has been saved in cert_ca.
Your public key has been saved in cert_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . |
| . o |
| .o.. |
| S..*.. |
| . =+.+ |
| + oo . |
| o .E. |
| .oo+++o |
+-----------------+
[email protected]:~# ls
cert_ca cert_ca.pub
Copy the keys to /etc/ssh/
[email protected]:~# cp -pr cert_ca* /etc/ssh/
2. Add CA public key (cert_ca.pub) as Trusted Key in the ssh server machines
vi /etc/ssh/sshd_config
(Add the following lines)
TrustedUserCAKeys /etc/ssh/cert_ca.pub
Restart SSH service
service sshd restart (For centos / rhel)
service ssh restart (For ubuntu / debian)
3. Generate SSH key for the user
[email protected]:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| o. |
| . +.o |
| o o.o= |
| o .+oo. |
| o S B.. |
| = +. |
| oo |
| +o |
| E.. |
+-----------------+
4. Sign user ssh public key by CA with the following command :
[email protected]:~# ssh-keygen -s cert_ca -I user_username -n username -V +52w id_rsa.pub
Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2020-04-17T10:33:00 to 2021-04-16T10:34:42
you should sign with user(username) you want to login to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +52w id_rsa.pub
[email protected]:~$ scp id_rsa-cert.pub id_rsa admin@client1:/home/admin/.ssh/
You can also issue short-lived certificates for giving temporary ssh access
Follow the first three steps in the article.
you can generate short-lived certificates for a day or a week or for some minutes while Sign user SSH public key by CA with the following command: You can specify the validity interval ( -V )while signing the certificate. We have issued a certificate that is valid for 60 minutes from the generated time. We can specify the Validity after -V option.
-V validity_interval
[email protected]:~# ssh-keygen -s cert_ca -I user_username -n username -V +60m id_rsa.pub
Signed user key id_rsa-cert.pub: id "user_username" serial 0 for username valid from 2022-04-17T10:33:00 to 2022-04-17T11:33:00
you should sign with the user(username) you want to log in to the server machine. For example, If you want to login as user " TED " to the server, You should sign the with the user " TED ". Example : ssh-keygen -s cert_ca -I user_ted -n ted -V +60m id_rsa.pub
[email protected]:~$ scp id_rsa-cert.pub id_rsa admin@client1:/home/admin/.ssh/