Comments 6 Posted In Red Hat Enterprise Linux rhel 6 ssh server support authentication via certificate Latest response 2013-11-07T06:12:20+00:00 hi ... any one try to implement rhel 6.x ssh authentication via certificate . i find out that openssh-server 5.4 and above have this feature . need some expert provide some information tq cs Started 2013-11-02T09:28:59+00:00 by csyeow Community Member 50 points Log in to join the conversation Responses Sort By Oldest Sort By Newest AS Active Contributor 134 points 4 November 2013 9:25 AM Andreas Schramm Looking for certificate in OpenSSH-Release-Notes led me to Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Certificates contain a public key, identity information and some validity constraints and are signed with a standard SSH public key using ssh-keygen(1). CA keys may be marked as trusted in authorized_keys or via a TrustedUserCAKeys option in sshd_config(5) (for user authentication), or in known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol extensions in PROTOCOL.certkeys. UPDATE: Everything below is not related to this exact feature, but a mere missunderstanding from my side. I apologise for the trouble caused. This feature is imho more commonly referred to as public key authentication. It's easily configured and should be enabled per default afaik. Just take a look at your /etc/ssh/sshd_config and search for PubkeyAuthentication. If this is not commented out and set to No, then public key authentication should already be working. All you need to do from here is generate a key-pair via ssh-keygen (see man 1 ssh-keygen) and place the content of the .pub-file in ~/.ssh/authorized_keys in the target users homedir on the machine you intend to log in. Kind Regards, Andreas cs Community Member 50 points 4 November 2013 1:15 PM csyeow thanks Andreas Schramm , let me try to setup at my virtualbox to play around this feature . tq cs Community Member 50 points 6 November 2013 6:27 AM csyeow hi Andreas Schramm i try with rhel 6.4 the version pkg as below openssh-server-5.3p1-84.1.el6.x86_64 openssh-askpass-5.3p1-84.1.el6.x86_64 openssh-5.3p1-84.1.el6.x86_64 openssh-clients-5.3p1-84.1.el6.x86_64 openssl-1.0.0-27.el6.x86_64 i cant issue #ssh-keygen -s xxx -I --> no option s ans I in ssh-keygen , but i successfully issue comamnd #ssh-keygen -s xx -L on fedora 17 . the version of openssh is 5.9p1 i think rhel 6.4 ( version ssh openssh-server-5.3p1-84.1.el6.x86_64 ) not able to perform certificate authentication , pls advise AS Active Contributor 134 points 6 November 2013 9:59 AM Andreas Schramm Hi! The feature you seemingly are trying to use, has been added in OpenSSH Release 5.6 and therefore is not available in RHEL6 yet. I am not entirely sure, what you are trying to achieve here though. If you want to use a central CA to identify and authorize multiple (public-)keys, then you depend on a higher version of OpenSSH / ssh-keygen, to sign (-s) them via your trusted CA-Key. I was not even aware of this feature yet. What I was trying to explain to you, is the possibility of simply creating a key-pair for password-less login. This is a bit different from the CA-variant, as you trust the key itself in this case (and accordingly you have to place different public-keys on your server, in order to enable different users to log-on). If password-less, secure authentication is your sole goal, OpenSSH 5.3 will work just fine, otherwise you might have to upgrade. Kind Regards, Andreas cs Community Member 50 points 7 November 2013 2:52 AM csyeow hi . thanks for the update . i think this feature will be on next release of rhel . i will use fedora 17 to study this feature. i think more and more company will ask for this kind of setup . can you tell me how to i close this discussion . i am 1st time . tq AS Active Contributor 134 points 7 November 2013 6:12 AM Andreas Schramm Sorry, I have so far never closed (or created) a discussion as well. I'm not even sure if discussions are meant to be closed at all. Anyhow it would be nice to hear from your experiences with the certificate authentication, as I think you are right and this feature is going to be more frequently used as time goes bye and further distributions enable its use.