14.3.5. Creating SSH Certificates
A certifcate is a signed public key. The user's and host's public keys must be copied to the CA server for signing by the CA server's private key.
Copying many keys to the CA to be signed can create confusion if they are not uniquely named. If the default name is always used then the latest key to be copied will overwrite the previously copied key, which may be an acceptable method for one administrator. In the example below the default name is used. In a production environment, consider using easily recognizable names. It is recommend to have a designated directory on the CA server owned by an administrative user for the keys to be copied into. Copying these keys to the
/etc/ssh/directory is not recommend. In the examples below an account named
adminwith a directory named
keys/will be used.
Create an administrator account, in this example
admin, and a directory to receive the user's keys. For example:
~]$Set the permissions to allow keys to be copied in:
chmod o+w keys
ls -la keystotal 8 drwxrwxrwx. 2 admin admin 4096 May 22 16:17 . drwx------. 3 admin admin 4096 May 22 16:17 ..
126.96.36.199. Creating SSH Certificates to Authenticate Hosts
The command to sign a host certificate has the following format:
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pubThe host certificate will named
Procedure 14.4. Generating a Host Certificate
To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host.
- Host keys are generated automatically on the system. To list them enter the following command:
ls -l /etc/ssh/ssh_host*-rw-------. 1 root root 668 May 6 14:38 /etc/ssh/ssh_host_dsa_key -rw-r--r--. 1 root root 590 May 6 14:38 /etc/ssh/ssh_host_dsa_key.pub -rw-------. 1 root root 963 May 6 14:38 /etc/ssh/ssh_host_key -rw-r--r--. 1 root root 627 May 6 14:38 /etc/ssh/ssh_host_key.pub -rw-------. 1 root root 1679 May 6 14:38 /etc/ssh/ssh_host_rsa_key -rw-r--r--. 1 root root 382 May 6 14:38 /etc/ssh/ssh_host_rsa_key.pub
- Copy the chosen public key to the server designated as the CA. For example, from the host:
scp /etc/ssh/ssh_host_rsa_key.pub firstname.lastname@example.org:~/keys/ssh_host_rsa_key.pubThe authenticity of host 'ca-server.example.com (10.34.74.58)' can't be established. RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ca-server.example.com,10.34.74.58' (RSA) to the list of known hosts. email@example.com's password: ssh_host_rsa_key.pub 100% 382 0.4KB/s 00:00Alternately, from the CA:
scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
- On the CA server, sign the host's public key. For example, as
~]#Where host_name is the host name of the system requiring the certificate.
ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pubEnter passphrase: Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54
- Copy the certificate to the host. For example, from the CA:
scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/root@host_name.example.com's password: ssh_host_rsa_key-cert.pub 100% 1384 1.5KB/s 00:00
- Configure the host to present the certificate to a user's system when a user initiates the login process. As
root, edit the
/etc/ssh/sshd_configfile as follows:
sshdto make the changes take effect:
service sshd restart
- On user's systems. remove keys belonging to hosts from the
~/.ssh/known_hostsfile if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
To test the host certificate, on a client system, ensure the client has set up the global
/etc/ssh/known_hostsfile, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the
~/.ssh/known_hostsfile. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the
-voption to the SSH command to see logging information.
188.8.131.52. Creating SSH Certificates for Authenticating Users
To sign a user's certificate, use a command in the following format:
ssh-keygen -s ca_user_key -I user_name -Z user_name -V -start:+end id_rsa.pubThe resulting certificate will be named
The default behavior of OpenSSH is that a user is allowed to log in as a remote user if one of the principals specified in the certificate matches the remote user's name. This can be adjusted in the following ways:
- Add more user's names to the certificate during the signing process using the
- On the user's system, add the public key of the CA in the
~/.ssh/authorized_keysfile using the
cert-authoritydirective and list the principals names as follows:
vi ~/.ssh/authorized_keys# A CA key, accepted for any host in *.example.com @cert-authority principals="name1,name2" *.example.com ssh-rsa AAAAB5Wm.
- On the server, create an
AuthorizedPrincipalsFilefile, either per user or globally, and add the principles' names to the file for those users allowed to log in. Then in the
/etc/ssh/sshd_configfile, specify the file using the
Procedure 14.5. Generating a User Certificate
To authenticate a user to a remote host, a public key must be generated by the user, passed to the CA server, signed by the CA, and then passed back to be stored by the user for use when logging in to a host.
- On client systems, login as the user who requires the certificate. Check for available keys as follows:
~]$If no suitable public key exists, generate one and set the directory permissions if the directory is not the default directory. For example, enter the following command:
ls -l ~/.ssh/
~]$By default the directory permissions for a user's keys are
ssh-keygen -t rsaGenerating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa): Created directory '/home/user1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: b1:f8:26:a7:46:87:c3:60:54:a3:6d:85:0d:60:fe:ce firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | oo++. | | o.o.o. | | .o o . | | oo . o | | . oo.S | | o=.. | | .Eo+ | | .= | | .. | +-----------------+
drwx------., or octal 0700. If required, confirm the permissions are correct:
~]$See Section 14.2.4, “Using Key-Based Authentication” for more examples of key generation and for instructions on setting the correct directory permissions.
ls -la ~/.sshtotal 16 drwx------. 2 user1 user1 4096 May 7 12:37 . drwx------. 3 user1 user1 4096 May 7 12:37 .. -rw-------. 1 user1 user1 1679 May 7 12:37 id_rsa -rw-r--r--. 1 user1 user1 421 May 7 12:37 id_rsa.pub
- The chosen public key must be copied to the server designated as the CA, in order to be signed. The secure copy command can be used to do this, the command has the following format:
scp ~/.ssh/id_protocol.pub admin@ca_server.example.com:~/keys/Where protocol is the part of the file name indicating the protocol used to generate the key, for example
rsa, admin is an account on the CA server, and /keys/ is a directory setup to receive the keys to be signed.Copy the chosen public key to the server designated as the CA. For example:
~]$If you have configured the client system to trust the host signing key as described in Procedure 14.3, “Trusting the Host Signing Key” then you should not see a warning about the authenticity of the remote host.
scp ~/.ssh/id_rsa.pub email@example.com:~/firstname.lastname@example.org's password: id_rsa.pub 100% 421 0.4KB/s 00:00
- On the CA server, sign the user's public key. For example, as
ssh-keygen -s ~/.ssh/ca_user_key -I user1 -Z user1 -V -1d:+54w /home/admin/keys/id_rsa.pubEnter passphrase: Signed user key /home/admin/keys/id_rsa-cert.pub: id "user1" serial 0 for host_name.example.com valid from 2015-05-21T16:43:17 to 2016-06-03T16:43:17
- Copy the resulting certificate to the user's
~/.ssh/directory on their system. For example:
scp /home/admin/keys/id_rsa-cert.pub user1@host_name.example.com:~/.ssh/user1@host_name.example.com's password: id_rsa-cert.pub 100% 1498 1.5KB/s 00:00
- If using the standard file names and location then no further configuration is required as the SSH daemon will search for user certificates ending in
-cert.puband use them automatically if it finds them. Note that the default location and file names for for SSH version 2 keys are:
~/.ssh/id_rsaas explained in the
ssh_config(5)manual page. If you use these locations and naming conventions then there is no need for editing the configuration files to enable
sshdto present the certificate. They will be used automatically when logging in to a remote system. In this is the case then skip to step 6.If required to use a non-default directory or file naming convention, then as
root, add the following line to the
IdentityFile ~/path/key_fileNote that this must be the private key name, do not had
-cert.pub. Ensure the file permission are correct. For example:
~]$This will enable the user of this system to be authenticated by a user certificate when logging into a remote system configured to trust the CA user certificate signing key.
ls -la ~/.ssh/config-rw-rw-r--. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
chmod 700 ~/.ssh/config~]$
ls -la ~/.ssh/config-rwx------. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
- To test the user certificate, attempt to log into a server over SSH from the user's account. You should do this as the user listed as a principle in the certificate, if any are specified. You should not be prompted for a password. If required, add the
-voption to the SSH command to see logging information.