14.3.5. Creating SSH Certificates
A certifcate is a signed public key. The user's and host's public keys must be copied to the CA server for signing by the CA server's private key.
Important
Copying many keys to the CA to be signed can create confusion if they are not uniquely named. If the default name is always used then the latest key to be copied will overwrite the previously copied key, which may be an acceptable method for one administrator. In the example below the default name is used. In a production environment, consider using easily recognizable names. It is recommend to have a designated directory on the CA server owned by an administrative user for the keys to be copied into. Copying these keys to the
root
user's /etc/ssh/
directory is not recommend. In the examples below an account named admin
with a directory named keys/
will be used.
Create an administrator account, in this example
admin
, and a directory to receive the user's keys. For example:
~]$ mkdir keys
Set the permissions to allow keys to be copied in:
~]$chmod o+w keys
ls -la keys
total 8 drwxrwxrwx. 2 admin admin 4096 May 22 16:17 . drwx------. 3 admin admin 4096 May 22 16:17 ..
14.3.5.1. Creating SSH Certificates to Authenticate Hosts
The command to sign a host certificate has the following format:
ssh-keygen -s ca_host_key -I host_name -h ssh_host_rsa_key.pubThe host certificate will named
ssh_host_rsa_key-cert.pub
.
Procedure 14.4. Generating a Host Certificate
To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host.
- Host keys are generated automatically on the system. To list them enter the following command:
~]#
ls -l /etc/ssh/ssh_host*
-rw-------. 1 root root 668 May 6 14:38 /etc/ssh/ssh_host_dsa_key -rw-r--r--. 1 root root 590 May 6 14:38 /etc/ssh/ssh_host_dsa_key.pub -rw-------. 1 root root 963 May 6 14:38 /etc/ssh/ssh_host_key -rw-r--r--. 1 root root 627 May 6 14:38 /etc/ssh/ssh_host_key.pub -rw-------. 1 root root 1679 May 6 14:38 /etc/ssh/ssh_host_rsa_key -rw-r--r--. 1 root root 382 May 6 14:38 /etc/ssh/ssh_host_rsa_key.pub - Copy the chosen public key to the server designated as the CA. For example, from the host:
~]#
scp /etc/ssh/ssh_host_rsa_key.pub admin@ca-server.example.com:~/keys/ssh_host_rsa_key.pub
The authenticity of host 'ca-server.example.com (10.34.74.58)' can't be established. RSA key fingerprint is b0:e5:ea:b8:75:e2:f0:b1:fe:5b:07:39:7f:58:64:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ca-server.example.com,10.34.74.58' (RSA) to the list of known hosts. admin@ca-server.example.com's password: ssh_host_rsa_key.pub 100% 382 0.4KB/s 00:00Alternately, from the CA:~]$
scp root@host_name.example.com:/etc/ssh/ssh_host_rsa_key.pub ~/keys/ssh_host_rsa_key.pub
- On the CA server, sign the host's public key. For example, as
root
:~]#
Where host_name is the host name of the system requiring the certificate.ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pub
Enter passphrase: Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54 - Copy the certificate to the host. For example, from the CA:
~]#
scp /home/admin/keys/ssh_host_rsa_key-cert.pub root@host_name.example.com:/etc/ssh/
root@host_name.example.com's password: ssh_host_rsa_key-cert.pub 100% 1384 1.5KB/s 00:00 - Configure the host to present the certificate to a user's system when a user initiates the login process. As
root
, edit the/etc/ssh/sshd_config
file as follows:HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
- Restart
sshd
to make the changes take effect:~]#
service sshd restart
- On user's systems. remove keys belonging to hosts from the
~/.ssh/known_hosts
file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
To test the host certificate, on a client system, ensure the client has set up the global
/etc/ssh/known_hosts
file, as described in Procedure 14.3, “Trusting the Host Signing Key”, and that the server's public key is not in the ~/.ssh/known_hosts
file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the -v
option to the SSH command to see logging information.
14.3.5.2. Creating SSH Certificates for Authenticating Users
To sign a user's certificate, use a command in the following format:
ssh-keygen -s ca_user_key -I user_name -Z user_name -V -start:+end id_rsa.pubThe resulting certificate will be named
id_rsa-cert.pub
.
The default behavior of OpenSSH is that a user is allowed to log in as a remote user if one of the principals specified in the certificate matches the remote user's name. This can be adjusted in the following ways:
- Add more user's names to the certificate during the signing process using the
-Z
option:-Z "name1[,name2,...]"
- On the user's system, add the public key of the CA in the
~/.ssh/authorized_keys
file using thecert-authority
directive and list the principals names as follows:~]#
vi ~/.ssh/authorized_keys
# A CA key, accepted for any host in *.example.com @cert-authority principals="name1,name2" *.example.com ssh-rsa AAAAB5Wm. - On the server, create an
AuthorizedPrincipalsFile
file, either per user or globally, and add the principles' names to the file for those users allowed to log in. Then in the/etc/ssh/sshd_config
file, specify the file using theAuthorizedPrincipalsFile
directive.
Procedure 14.5. Generating a User Certificate
To authenticate a user to a remote host, a public key must be generated by the user, passed to the CA server, signed by the CA, and then passed back to be stored by the user for use when logging in to a host.
- On client systems, login as the user who requires the certificate. Check for available keys as follows:
~]$
If no suitable public key exists, generate one and set the directory permissions if the directory is not the default directory. For example, enter the following command:ls -l ~/.ssh/
~]$
By default the directory permissions for a user's keys aressh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa): Created directory '/home/user1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: b1:f8:26:a7:46:87:c3:60:54:a3:6d:85:0d:60:fe:ce user1@host1.example.com The key's randomart image is: +--[ RSA 2048]----+ | oo++. | | o.o.o. | | .o o . | | oo . o | | . oo.S | | o=.. | | .Eo+ | | .= | | .. | +-----------------+drwx------.
, or octal 0700. If required, confirm the permissions are correct:~]$
See Section 14.2.4, “Using Key-Based Authentication” for more examples of key generation and for instructions on setting the correct directory permissions.ls -la ~/.ssh
total 16 drwx------. 2 user1 user1 4096 May 7 12:37 . drwx------. 3 user1 user1 4096 May 7 12:37 .. -rw-------. 1 user1 user1 1679 May 7 12:37 id_rsa -rw-r--r--. 1 user1 user1 421 May 7 12:37 id_rsa.pub - The chosen public key must be copied to the server designated as the CA, in order to be signed. The secure copy command can be used to do this, the command has the following format:
scp ~/.ssh/id_protocol.pub admin@ca_server.example.com:~/keys/
Where protocol is the part of the file name indicating the protocol used to generate the key, for examplersa
, admin is an account on the CA server, and /keys/ is a directory setup to receive the keys to be signed.Copy the chosen public key to the server designated as the CA. For example:~]$
If you have configured the client system to trust the host signing key as described in Procedure 14.3, “Trusting the Host Signing Key” then you should not see a warning about the authenticity of the remote host.scp ~/.ssh/id_rsa.pub admin@ca-server.example.com:~/keys/
admin@ca-server.example.com's password: id_rsa.pub 100% 421 0.4KB/s 00:00 - On the CA server, sign the user's public key. For example, as
root
:~]#
ssh-keygen -s ~/.ssh/ca_user_key -I user1 -Z user1 -V -1d:+54w /home/admin/keys/id_rsa.pub
Enter passphrase: Signed user key /home/admin/keys/id_rsa-cert.pub: id "user1" serial 0 for host_name.example.com valid from 2015-05-21T16:43:17 to 2016-06-03T16:43:17 - Copy the resulting certificate to the user's
~/.ssh/
directory on their system. For example:~]#
scp /home/admin/keys/id_rsa-cert.pub user1@host_name.example.com:~/.ssh/
user1@host_name.example.com's password: id_rsa-cert.pub 100% 1498 1.5KB/s 00:00 - If using the standard file names and location then no further configuration is required as the SSH daemon will search for user certificates ending in
-cert.pub
and use them automatically if it finds them. Note that the default location and file names for for SSH version 2 keys are:~/.ssh/id_dsa
,~/.ssh/id_ecdsa
and~/.ssh/id_rsa
as explained in thessh_config(5)
manual page. If you use these locations and naming conventions then there is no need for editing the configuration files to enablesshd
to present the certificate. They will be used automatically when logging in to a remote system. In this is the case then skip to step 6.If required to use a non-default directory or file naming convention, then asroot
, add the following line to the/etc/ssh/ssh_config
or~/.ssh/config
files:IdentityFile ~/path/key_file
Note that this must be the private key name, do not had.pub
or-cert.pub
. Ensure the file permission are correct. For example:~]$
This will enable the user of this system to be authenticated by a user certificate when logging into a remote system configured to trust the CA user certificate signing key.ls -la ~/.ssh/config
-rw-rw-r--. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/configchmod 700 ~/.ssh/config
~]$ls -la ~/.ssh/config
-rwx------. 1 user1 user1 36 May 27 21:49 /home/user1/.ssh/config - To test the user certificate, attempt to log into a server over SSH from the user's account. You should do this as the user listed as a principle in the certificate, if any are specified. You should not be prompted for a password. If required, add the
-v
option to the SSH command to see logging information.