14.3.4. Distributing and Trusting SSH CA Public Keys
Hosts that are to allow certificate authenticated log in from users must be configured to trust the CA's public key that was used to sign the user certificates, in order to authenticate user's certificates. In this example that is the
ca_user_key.pub
.
Publish the
ca_user_key.pub
key and download it to all hosts that are required to allow remote users to log in. Alternately, copy the CA user public key to all the hosts. In a production environment, consider copying the public key to an administrator account first. The secure copy command can be used to copy the public key to remote hosts. The command has the following format: scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/Where host_name is the host name of a server the is required to authenticate user's certificates presented during the login process. Ensure you copy the public key not the private key. For example, as
root
:
~]# scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/
The authenticity of host 'host_name.example.com (10.34.74.56)' can't be established.
RSA key fingerprint is fc:23:ad:ae:10:6f:d1:a1:67:ee:b1:d5:37:d4:b0:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host_name.example.com,10.34.74.56' (RSA) to the list of known hosts.
root@host_name.example.com's password:
ca_user_key.pub 100% 420 0.4KB/s 00:00
For remote user authentication, CA keys can be marked as trusted per-user in the
~/.ssh/authorized_keys
file using the cert-authority
directive or for global use by means of the TrustedUserCAKeys
directive in the /etc/ssh/sshd_config
file. For remote host authentication, CA keys can be marked as trusted globally in the /etc/ssh/known_hosts
file or per-user in the ~/.ssh/ssh_known_hosts
file.
Procedure 14.2. Trusting the User Signing Key
- For user certificates which have one or more principles listed, and where the setting is to have global effect, edit the
/etc/ssh/sshd_config
file as follows:TrustedUserCAKeys /etc/ssh/ca_user_key.pub
Restartsshd
to make the changes take effect:~]#
service sshd restart
To avoid being presented with the warning about an unknown host, a user's system must trust the CA's public key that was used to sign the host certificates. In this example that is
ca_host_key.pub
.
Procedure 14.3. Trusting the Host Signing Key
- Extract the contents of the public key used to sign the host certificate. For example, on the CA:
cat ~/.ssh/ca_host_key.pub
ssh-rsa AAAAB5Wm.== root@ca-server.example.com - To configure client systems to trust servers' signed host certificates, add the contents of the
ca_host_key.pub
into the globalknown_hosts
file. This will automatically check a server's host advertised certificate against the CA public key for all users every time a new machine is connected to in the domain*.example.com
. Login asroot
and configure the/etc/ssh/ssh_known_hosts
file, as follows:~]#
Wherevi /etc/ssh/ssh_known_hosts
# A CA key, accepted for any host in *.example.com @cert-authority *.example.com ssh-rsa AAAAB5Wm.ssh-rsa AAAAB5Wm.
is the contents ofca_host_key.pub
. The above configures the system to trust the CA servers host public key. This enables global authentication of the certificates presented by hosts to remote users.