rhel 6 ssh server support authentication via certificate

Latest response

hi ...

any one try to implement rhel 6.x ssh authentication via certificate .

i find out that openssh-server 5.4 and above have this feature . need some expert provide some information

tq

Responses

Looking for certificate in OpenSSH-Release-Notes led me to

Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Certificates contain a public key, identity information and some validity constraints and are signed with a standard SSH public key using ssh-keygen(1). CA keys may be marked as trusted in authorized_keys or via a TrustedUserCAKeys option in sshd_config(5) (for user authentication), or in known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol extensions in PROTOCOL.certkeys.

UPDATE: Everything below is not related to this exact feature, but a mere missunderstanding from my side. I apologise for the trouble caused.


This feature is imho more commonly referred to as public key authentication. It's easily configured and should be enabled per default afaik. Just take a look at your /etc/ssh/sshd_config and search for PubkeyAuthentication. If this is not commented out and set to No, then public key authentication should already be working.

All you need to do from here is generate a key-pair via ssh-keygen (see man 1 ssh-keygen) and place the content of the .pub-file in ~/.ssh/authorized_keys in the target users homedir on the machine you intend to log in.

Kind Regards,
Andreas

thanks Andreas Schramm , let me try to setup at my virtualbox to play around this feature . tq

hi Andreas Schramm

i try with rhel 6.4 the version pkg as below
openssh-server-5.3p1-84.1.el6.x86_64
openssh-askpass-5.3p1-84.1.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
openssl-1.0.0-27.el6.x86_64

i cant issue #ssh-keygen -s xxx -I --> no option s ans I in ssh-keygen ,

but i successfully issue comamnd #ssh-keygen -s xx -L on fedora 17 . the version of openssh is 5.9p1

i think rhel 6.4 ( version ssh openssh-server-5.3p1-84.1.el6.x86_64 ) not able to perform certificate authentication , pls advise

Hi!

The feature you seemingly are trying to use, has been added in OpenSSH Release 5.6 and therefore is not available in RHEL6 yet.

I am not entirely sure, what you are trying to achieve here though.

If you want to use a central CA to identify and authorize multiple (public-)keys, then you depend on a higher version of OpenSSH / ssh-keygen, to sign (-s) them via your trusted CA-Key. I was not even aware of this feature yet.

What I was trying to explain to you, is the possibility of simply creating a key-pair for password-less login. This is a bit different from the CA-variant, as you trust the key itself in this case (and accordingly you have to place different public-keys on your server, in order to enable different users to log-on).

If password-less, secure authentication is your sole goal, OpenSSH 5.3 will work just fine, otherwise you might have to upgrade.

Kind Regards,
Andreas

hi . thanks for the update . i think this feature will be on next release of rhel .
i will use fedora 17 to study this feature. i think more and more company will ask for this kind of setup .

can you tell me how to i close this discussion . i am 1st time . tq

Sorry, I have so far never closed (or created) a discussion as well. I'm not even sure if discussions are meant to be closed at all.

Anyhow it would be nice to hear from your experiences with the certificate authentication, as I think you are right and this feature is going to be more frequently used as time goes bye and further distributions enable its use.