I am trying to find out how I can use the new self-signed certificates So what I read in the man pages, it should be something like: client: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or location you like 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it Client: 4) for a user generate a certificate of its public key ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub This will generate an id_rsa-cert.pub certificate file Client: 5) ssh user at server # connect to server using the certificate Is this correct or did I miss something ? Is it also possible to disable the plain public key authentication and only accept certificate authentication (can't find an option for this in sshd_config) thx Hans
On Tue, Apr 27, 2010 at 13:49:19 -0500, Hans wrote:> I am trying to find out how I can use the new self-signed certificates > So what I read in the man pages, it should be something like: > > client: > 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate > > Server(s): > 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned > TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or > location you likeTrustedUserCAKeys is really intended for specifying system-wide CA keys such as you would use if your organization were generating certs for users. For user-generated certs, you would simply add the appropriate entry to the user's ~/.ssh/authorized_keys file on the servers. Note that using TrustedUserCAKeys also impacts how the user certificate is generated. If you use TrustedUserCAKeys, the certificates MUST have a principal specified.> > 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it > > Client: > 4) for a user generate a certificate of its public key > ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub > This will generate an id_rsa-cert.pub certificate file > > Client: > 5) ssh user at server # connect to server using the certificate > > Is this correct or did I miss something ?Other than the comment above regarding the use of TrustedUserCAKeys, this looks reasonable. Note that with user-generated certs, the CA should really be listed in the user's ~/.ssh/authorized_keys file and should have the 'cert-authority' tag.> > Is it also possible to disable the plain public key authentication and > only accept certificate authentication (can't find an option for this > in sshd_config)Since certificate-based authentication is really just an extension to classic public-key authentication, you can't turn off public-key auth without also turning off certificate support. However, if you are using a centralized CA (and thus TrustedUserCAKeys), you could effectively disable classic pubkey auth by specifying a different path for the authorized_keys file, i.e.: AuthorizedKeysFile /dev/null or AuthorizedKeysFile /etc/ssh/authorized_keys/%u The latter would make it possible to have exceptions to the general case.> > thx > > Hans > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Iain Morgan
On Tue, 27 Apr 2010, Hans wrote:> I am trying to find out how I can use the new self-signed certificates > So what I read in the man pages, it should be something like: > > client: > 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate > > Server(s): > 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned > TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or > location you like > > 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it > > Client: > 4) for a user generate a certificate of its public key > ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub > This will generate an id_rsa-cert.pub certificate file > > Client: > 5) ssh user at server # connect to server using the certificate > > Is this correct or did I miss something ?That is it in a nutshell. You should specify a validity period for the certificates in step #3. Since our revocation implementation is weak at the moment, it is best to use short-lived certificates that are refreshed frequently (and hopefully through an easy process for the user). Also, if you want to try out certificates without touching sshd_config (e.g. if you don't have superuser access), then you can specify trusted CA keys on a per-user basis in authorized_keys using the "cert-authority" key option: cert-authority ssh-rsa AAA.....> Is it also possible to disable the plain public key authentication and > only accept certificate authentication (can't find an option for this > in sshd_config)You can set AuthorizedKeysFile to /dev/null, so sshd will never find any regular keys there. This can be done on a per-user/group/address basis using the Match keyword. As you are probably aware, the certificate support is very new and I'd love to hear any feedback or criticism you may have. -d
Reasonably Related Threads
- Help with CA Certificates for user authentication?
- SSH certificates - restricting to host groups
- X509 based certificate authentication in OpenSSH
- AuthorizedKeysFile with default value prevents Public/Private key authentication
- Authenticate against key files before AuthorizedKeysCommand