14.3.5. Creating SSH Certificates
/etc/ssh/directory is not recommend. In the examples below an account named
adminwith a directory named
keys/will be used.
admin, and a directory to receive the user's keys. For example:
~]$Set the permissions to allow keys to be copied in:
chmod o+w keys
ls -la keystotal 8 drwxrwxrwx. 2 admin admin 4096 May 22 16:17 . drwx------. 3 admin admin 4096 May 22 16:17 ..
188.8.131.52. Creating SSH Certificates to Authenticate Hosts
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pubThe host certificate will named
Procedure 14.4. Generating a Host Certificate
- Host keys are generated automatically on the system. To list them enter the following command:
ls -l /etc/ssh/ssh_host*-rw-------. 1 root root 668 May 6 14:38 /etc/ssh/ssh_host_dsa_key -rw-r--r--. 1 root root 590 May 6 14:38 /etc/ssh/ssh_host_dsa_key.pub -rw-------. 1 root root 963 May 6 14:38 /etc/ssh/ssh_host_key -rw-r--r--. 1 root root 627 May 6 14:38 /etc/ssh/ssh_host_key.pub -rw-------. 1 root root 1679 May 6 14:38 /etc/ssh/ssh_host_rsa_key -rw-r--r--. 1 root root 382 May 6 14:38 /etc/ssh/ssh_host_rsa_key.pub
- Copy the chosen public key to the server designated as the CA. For example, from the host:
scp /etc/ssh/ssh_host_rsa_key.pub email@example.com:~/keys/ssh_host_rsa_key.pubThe authenticity of host 'ca-server.example.com (10.34.74.58)' can't be established. RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ca-server.example.com,10.34.74.58' (RSA) to the list of known hosts. firstname.lastname@example.org's password: ssh_host_rsa_key.pub 100% 382 0.4KB/s 00:00Alternately, from the CA:
scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
- On the CA server, sign the host's public key. For example, as
~]#Where host_name is the host name of the system requiring the certificate.
ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pubEnter passphrase: Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54
- Copy the certificate to the host. For example, from the CA:
scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/root@host_name.example.com's password: ssh_host_rsa_key-cert.pub 100% 1384 1.5KB/s 00:00
- Configure the host to present the certificate to a user's system when a user initiates the login process. As
root, edit the
/etc/ssh/sshd_configfile as follows:
sshdto make the changes take effect:
service sshd restart
- On user's systems. remove keys belonging to hosts from the
~/.ssh/known_hostsfile if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
/etc/ssh/known_hostsfile, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the
~/.ssh/known_hostsfile. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the
-voption to the SSH command to see logging information.