Kevin Denis
2011-Jul-07 12:44 UTC
Use of ssh certificates in a multi server of different kind environment.
Hello, [if I'm not in the right mailing list, please advise it to me] I'm using ssh certificates for my servers and my users. I have questions about it: I can use the same CA in order to certify all my hosts. Every clients can use it, and it's a great setup. But, if I use the same CA for all my clients, it means that any clients can log in to any server because hosts trusts my CA. And it's not a desired behavior. So I made several CAs, one for each type of servers. One for webservers, one for svn servers, one for my cluster, end so on.. and it works, but I have to manage a lot of keys. And certify each kind of users with the right key. Is there a way to add in the client certificate the name of the host authorized to log in to? With that I could still use only one CA and certify anyone behind it, a kind of: ssh-keygen -s CAKey -I CA -n user1 -O destination_address server1,192.168.19.2 user_rsa_key.pub But the destination_address option doesn't exists... So, am I doing rights with my multiple CA? Or there is a better way? Thanks, Envoy? avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
Mauricio Tavares
2011-Jul-07 14:50 UTC
Use of ssh certificates in a multi server of different kind environment.
On Thu, Jul 7, 2011 at 8:44 AM, Kevin Denis <kevin at alinto.com> wrote:> Hello, > > [if I'm not in the right mailing list, please advise it to me] > > I'm using ssh certificates for my servers and my users. > I have questions about it: > > I can use the same CA in order to certify all my hosts. Every clients can use it, > and it's a great setup. But, if I use the same CA for all my clients, it means that > any clients can log in to any server because hosts trusts my CA. And it's not a > desired behavior. > > So I made several CAs, one for each type of servers. One for webservers, one > for svn servers, one for my cluster, end so on.. and it works, but I have to > manage a lot of keys. And certify each kind of users with the right key. > > Is there a way to add in the client certificate the name of the host authorized to > log in to? With that I could still use only one CA and certify anyone behind it, a > kind of: > ssh-keygen -s CAKey -I CA -n user1 -O destination_address > server1,192.168.19.2 user_rsa_key.pub > > But the destination_address option doesn't exists... > > So, am I doing rights with my multiple CA? Or there is a better way? >Can't your firewall/hosts.{allow,deny} files specify which IPs and subnets are allowed to login to your server? This will not solve your problem but could be a start.> Thanks, > > Envoy? avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Dan Yefimov
2011-Jul-07 15:17 UTC
Use of ssh certificates in a multi server of different kind environment.
On 07.07.2011 16:44, Kevin Denis wrote:> Hello, > > [if I'm not in the right mailing list, please advise it to me] > > I'm using ssh certificates for my servers and my users. > I have questions about it: > > I can use the same CA in order to certify all my hosts. Every clients can use it, > and it's a great setup. But, if I use the same CA for all my clients, it means that > any clients can log in to any server because hosts trusts my CA. And it's not a > desired behavior. > > So I made several CAs, one for each type of servers. One for webservers, one > for svn servers, one for my cluster, end so on.. and it works, but I have to > manage a lot of keys. And certify each kind of users with the right key. > > Is there a way to add in the client certificate the name of the host authorized to > log in to? With that I could still use only one CA and certify anyone behind it, a > kind of: > ssh-keygen -s CAKey -I CA -n user1 -O destination_address > server1,192.168.19.2 user_rsa_key.pub > > But the destination_address option doesn't exists... > > So, am I doing rights with my multiple CA? Or there is a better way? >I think, you should pay attention to Kerberos, instead of client certificates. -- Sincerely Yours, Dan.
Iain Morgan
2011-Jul-07 16:34 UTC
Use of ssh certificates in a multi server of different kind environment.
On Thu, Jul 07, 2011 at 07:44:33 -0500, Kevin Denis wrote:> Hello, > > I'm using ssh certificates for my servers and my users. > I have questions about it: > > I can use the same CA in order to certify all my hosts. Every clients can use it, > and it's a great setup. But, if I use the same CA for all my clients, it means that > any clients can log in to any server because hosts trusts my CA. And it's not a > desired behavior. > > So I made several CAs, one for each type of servers. One for webservers, one > for svn servers, one for my cluster, end so on.. and it works, but I have to > manage a lot of keys. And certify each kind of users with the right key. > > Is there a way to add in the client certificate the name of the host authorized to > log in to? With that I could still use only one CA and certify anyone behind it, a > kind of: > ssh-keygen -s CAKey -I CA -n user1 -O destination_address > server1,192.168.19.2 user_rsa_key.pub > > But the destination_address option doesn't exists... > > So, am I doing rights with my multiple CA? Or there is a better way? > > Thanks, > > Envoy? avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com >While the certificates do not provide a means of restricting their use to authenticating against specific servers, there are a variety of ways to accomplish a similar end. The most obvious is to only provision accounts on servers for users who are authorized to access them. However, there may be some circumstances where this is not practical. Another approach would be to use the AllowGroups keyword in the sshd_config and only assign users to the allowed groups if they are authorized to access the system. Thus, you might have a group for each class of server for which you wish to authorize access. You can also provide access control via a PAM such as pam_access.so. If you are using a recent enough version of OpenSSH, you could also use the AuthorizedPrincipalsFile keyword to specify which principals can login to a given account. You could then adjust these files on a host-by-host basis. -- Iain Morgan
Damien Miller
2011-Jul-08 03:17 UTC
Use of ssh certificates in a multi server of different kind environment.
On Thu, 7 Jul 2011, Kevin Denis wrote:> Hello, > > [if I'm not in the right mailing list, please advise it to me] > > I'm using ssh certificates for my servers and my users. > I have questions about it: > > I can use the same CA in order to certify all my hosts. Every clients can use it, > and it's a great setup. But, if I use the same CA for all my clients, it means that > any clients can log in to any server because hosts trusts my CA. And it's not a > desired behavior. > > So I made several CAs, one for each type of servers. One for webservers, one > for svn servers, one for my cluster, end so on.. and it works, but I have to > manage a lot of keys. And certify each kind of users with the right key. > > Is there a way to add in the client certificate the name of the host authorized to > log in to? With that I could still use only one CA and certify anyone behind it, a > kind of:Yes, you can do this using principals: ssh-keygen -s CAKey -I username -n username at host1.allowed,username at host2.allowed key Set "AuthorizedPrincipalsFile .ssh/authorized_principals" in sshd_config on each of the hosts that trust CAKey. Finally, populate ~/.ssh/authorized_principals for each user you want to allow to contain "username at host.name". Hosts where the name from authorized_principals match the name in the ssh-keygen principals list will permit access to the user. This would be easier if it were possible to expand the host's name in authorized_principals. Then you could have "%u@%h" or somesuch in each one and it would do the right thing everywhere. -d