14.3.5. Creating SSH Certificates
/etc/ssh/directory is not recommend. In the examples below an account named
adminwith a directory named
keys/will be used.
admin, and a directory to receive the user's keys. For example:
~]$Set the permissions to allow keys to be copied in:
chmod o+w keys
ls -la keystotal 8 drwxrwxrwx. 2 admin admin 4096 May 22 16:17 . drwx------. 3 admin admin 4096 May 22 16:17 ..
220.127.116.11. Creating SSH Certificates to Authenticate Hosts
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pubThe host certificate will named
Procedure 14.4. Generating a Host Certificate
- Host keys are generated automatically on the system. To list them enter the following command:
ls -l /etc/ssh/ssh_host*-rw-------. 1 root root 668 May 6 14:38 /etc/ssh/ssh_host_dsa_key -rw-r--r--. 1 root root 590 May 6 14:38 /etc/ssh/ssh_host_dsa_key.pub -rw-------. 1 root root 963 May 6 14:38 /etc/ssh/ssh_host_key -rw-r--r--. 1 root root 627 May 6 14:38 /etc/ssh/ssh_host_key.pub -rw-------. 1 root root 1679 May 6 14:38 /etc/ssh/ssh_host_rsa_key -rw-r--r--. 1 root root 382 May 6 14:38 /etc/ssh/ssh_host_rsa_key.pub
- Copy the chosen public key to the server designated as the CA. For example, from the host:
scp /etc/ssh/ssh_host_rsa_key.pub email@example.com:~/keys/ssh_host_rsa_key.pubThe authenticity of host 'ca-server.example.com (10.34.74.58)' can't be established. RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ca-server.example.com,10.34.74.58' (RSA) to the list of known hosts. firstname.lastname@example.org's password: ssh_host_rsa_key.pub 100% 382 0.4KB/s 00:00Alternately, from the CA:
scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
- On the CA server, sign the host's public key. For example, as
~]#Where host_name is the host name of the system requiring the certificate.
ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pubEnter passphrase: Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54
- Copy the certificate to the host. For example, from the CA:
scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/root@host_name.example.com's password: ssh_host_rsa_key-cert.pub 100% 1384 1.5KB/s 00:00
- Configure the host to present the certificate to a user's system when a user initiates the login process. As
root, edit the
/etc/ssh/sshd_configfile as follows:
sshdto make the changes take effect:
service sshd restart
- On user's systems. remove keys belonging to hosts from the
~/.ssh/known_hostsfile if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
/etc/ssh/known_hostsfile, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the
~/.ssh/known_hostsfile. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the
-voption to the SSH command to see logging information.
18.104.22.168. Creating SSH Certificates for Authenticating Users
ssh-keygen -s ca_user_key -I user_name -Z user_name -V -start:+end id_rsa.pubThe resulting certificate will be named
- Add more user's names to the certificate during the signing process using the
- On the user's system, add the public key of the CA in the
~/.ssh/authorized_keysfile using the
cert-authoritydirective and list the principals names as follows:
vi ~/.ssh/authorized_keys# A CA key, accepted for any host in *.example.com @cert-authority principals="name1,name2" *.example.com ssh-rsa AAAAB5Wm.
- On the server, create an
AuthorizedPrincipalsFilefile, either per user or globally, and add the principles' names to the file for those users allowed to log in. Then in the
/etc/ssh/sshd_configfile, specify the file using the
Procedure 14.5. Generating a User Certificate
- On client systems, login as the user who requires the certificate. Check for available keys as follows:
~]$If no suitable public key exists, generate one and set the directory permissions if the directory is not the default directory. For example, enter the following command:
ls -l ~/.ssh/
~]$By default the directory permissions for a user's keys are
ssh-keygen -t rsaGenerating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa): Created directory '/home/user1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: b1:f8:26:a7:46:87:c3:60:54:a3:6d:85:0d:60:fe:ce email@example.com The key's randomart image is: +--[ RSA 2048]----+ | oo++. | | o.o.o. | | .o o . | | oo . o | | . oo.S | | o=.. | | .Eo+ | | .= | | .. | +-----------------+
drwx------., or octal 0700. If required, confirm the permissions are correct:
~]$See Section 14.2.4, “Using Key-Based Authentication” for more examples of key generation and for instructions on setting the correct directory permissions.
ls -la ~/.sshtotal 16 drwx------. 2 user1 user1 4096 May 7 12:37 . drwx------. 3 user1 user1 4096 May 7 12:37 .. -rw-------. 1 user1 user1 1679 May 7 12:37 id_rsa -rw-r--r--. 1 user1 user1 421 May 7 12:37 id_rsa.pub
- The chosen public key must be copied to the server designated as the CA, in order to be signed. The secure copy command can be used to do this, the command has the following format:
scp ~/.ssh/id_protocol.pub admin@ca_server.example.com:~/keys/Where protocol is the part of the file name indicating the protocol used to generate the key, for example
rsa, admin is an account on the CA server, and /keys/ is a directory setup to receive the keys to be signed.Copy the chosen public key to the server designated as the CA. For example:
~]$If you have configured the client system to trust the host signing key as described in Procedure 14.3, “Trusting the Host Signing Key” then you should not see a warning about the authenticity of the remote host.
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:~/email@example.com's password: id_rsa.pub 100% 421 0.4KB/s 00:00
- On the CA server, sign the user's public key. For example, as
ssh-keygen -s ~/.ssh/ca_user_key -I user1 -Z user1 -V -1d:+54w /home/admin/keys/id_rsa.pubEnter passphrase: Signed user key /home/admin/keys/id_rsa-cert.pub: id "user1" serial 0 for host_name.example.com valid from 2015-05-21T16:43:17 to 2016-06-03T16:43:17
- Copy the resulting certificate to the user's
~/.ssh/directory on their system. For example:
scp /home/admin/keys/id_rsa-cert.pub user1@host_name.example.com:~/.ssh/user1@host_name.example.com's password: id_rsa-cert.pub 100% 1498 1.5KB/s 00:00
- If using the standard file names and location then no further configuration is required as the SSH daemon will search for user certificates ending in
-cert.puband use them automatically if it finds them. Note that the default location and file names for for SSH version 2 keys are:
~/.ssh/id_rsaas explained in the
ssh_config(5)manual page. If you use these locations and naming conventions then there is no need for editing the configuration files to enable
sshdto present the certificate. They will be used automatically when logging in to a remote system. In this is the case then skip to step 6.If required to use a non-default directory or file naming convention, then as
root, add the following line to the
IdentityFile ~/path/key_fileNote that this must be the private key name, do not had
-cert.pub. Ensure the file permission are correct. For example:
~]$This will enable the user of this system to be authenticated by a user certificate when logging into a remote system configured to trust the CA user certificate signing key.
ls -la ~/.ssh/config-rw-rw-r--. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
chmod 700 ~/.ssh/config~]$
ls -la ~/.ssh/config-rwx------. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config
- To test the user certificate, attempt to log into a server over SSH from the user's account. You should do this as the user listed as a principle in the certificate, if any are specified. You should not be prompted for a password. If required, add the
-voption to the SSH command to see logging information.