Skip to main content

SSH Certificates

SSH Certificates is a excellent way of managing ssh access when there are more than a few servers to coordinate access to. Using certificates has several advantages

  1. It avoids the problem of adding and removing public ssh keys from the authorized_keys as users should be allowed and rejected access.

  2. It avoids the problem of adding the host keys to the known_hosts file of each user.

It also allows for more fine grained control over access since certificates can be issued with short lifetime.

Setting up ssh certificates consists of two parts, authenticate the host (server) to the user (client), and authenticate the user (client) to the host (server).

Create a SSH CA

First setup a ssh CA in strongbox and distribute it to all sites.

supctl create strongbox ssh ca <<EOF
name: remote-access
distribute:
  to: all
EOF

Show the CA public key.

supctl show strongbox ssh ca remote-access
name: remote-access
key-type: ecdsa
key-curve: nistp256
public-key64: |
  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIP2JW4t0RIRZfgJd1VGjWpGbSSy1yNtXSBmERhLx47R7rqQTFwaNq/WMAOmsbzMimJOKXCVZo1Son/vM2hiZMk= strongbox
serial: 0

A ssh CA is essentially a key pair. By default a ECDSA key using the curve nistp256 will be created.

The CA public key has two uses, it is used by the host to validate user certificates when a user attempts to connect through ssh. The public key is also used to identify the host by the client, in place of the public keys sent by the server.

On the host the CA key should be added to the sshd_config file as TrustedUserCAKeys, ie

TrustedUserCAKeys /etc/ssh/ssh_user_key.pub

At the user the CA key should be added to the .ssh/known_hosts file as @cert-authority <domain/host> <ca-pub-key>, ie

@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrcy8daE4A9oMVbzu2QhE0dkjxC+JwlGvRV3h6F0GEu strongbox

Issue a host certificate

Now a certificate must be issued for each host. The certificates contains information about the host, ie host name, and a ttl for which it is valid.

supctl do strongbox ssh ca remote-access issue-cert --input - <<EOF
ttl: 1y
valid-principals: [ "h03", "192.168.0.1" ]
cert-type: host
EOF
ttl: 1y
valid-principals: [ "h03", "192.168.0.1" ]
cert-type: host
EOF
cert: |
  ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgH7VixzkCdIBsl+rRobGZkRQgG1yqm1UHFrU4ue+/tYUAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhCdksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76QAAAAAAAAAAQAAAAIAAAAkdXNlcnBhc3MtYWRtaW5AdGhlYXRlci1vcGVyYXRpb24uY29tAAAAFgAAAANoMDMAAAALMTkyLjE2OC4wLjEAAAAAAAAAAAAAAABjZTUwAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEEg/Ylbi3REhFl+Al3VUaNakZtJLLXI21dIGYRGEvHjtHuupBMXBo2r9YwA6axvMyKYk4pcJVmjVKif+8zaGJkyQAAAGMAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEgAAAAgFMN7kXE2bWY3UfSuIgavL1yWISj6gYJK6KSbWUlgw84AAAAgfXGfU4q+bJ5qO/1f1sK2AyY/Q45N01XC3dZ6vycSuEI= userpass-admin@theater-operation.com
public-key: |
  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhCdksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76Q= h03
private-key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
  1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQnYw7hzVj6ZC8oQnZLKCzZe64CcTpc
  kscX7ONqMZg+rG8J205k4le6bhQm51i5wwNdTsSwwUmG9kfRJcTs8u+kAAAAoG6SJrNuki
  azAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhC
  dksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76
  QAAAAgZep4eUl1HlDa56bv0Eg5N0T7+tNBoXRV42Os+PXdPD8AAAAAAQIDBAUGBwg=
  -----END OPENSSH PRIVATE KEY-----
serial: 1

The certificate should be placed in a file, eg, /etc/ssh/ssh_host_key-cert.pub, the private key in another file, eg, /etc/ssh/ssh_host_key, and the public key in yet another file, eg. /etc/ssh/ssh_host_key.pub.

The ssh daemon should be configured to use these files, eg by adding the following to the sshd_config file.

HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub

Issue a user certificate

User certificates should be issued for users that should be able to access the system. It is recommended that they are short lived, ie, have a short ttl. That way they do not have to be revoked and should they go astray it is not a huge problem.

To issue a user certificate

supctl do strongbox ssh ca remote-access issue-cert --input - <<EOF
ttl: 1h
valid-principals: [ "joe" ]
cert-type: user
extensions: [ "permit-pty", "permit-X11-forwarding" ]
EOF
ttl: 1h
valid-principals: [ "joe" ]
cert-type: user
extensions: [ "permit-pty", "permit-X11-forwarding" ]
EOF
cert: |
  ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg/vIHEvwcgmujp/3IlfjV90UH3HsvHIiobhG41Zj90ZcAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO4AAAAAAAAAAgAAAAEAAAAkdXNlcnBhc3MtYWRtaW5AdGhlYXRlci1vcGVyYXRpb24uY29tAAAABwAAAANqb2UAAAAAAAAAAAAAAABhhBBwAAAAAAAAAC8AAAAKcGVybWl0LXB0eQAAAAAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIP2JW4t0RIRZfgJd1VGjWpGbSSy1yNtXSBmERhLx47R7rqQTFwaNq/WMAOmsbzMimJOKXCVZo1Son/vM2hiZMkAAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIQCpbekqo4jMMCM0/XSIKRebj+nWuGgyTVjMMPbmBXQxGQAAACBtsWBdOYmRsiTao+nXO3zOlUotjNBvBsZbTuyrPJLAJw== userpass-admin@theater-operation.com
public-key: |
  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO4= joe
private-key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
  1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ36XVcP5YlIMChUt5ma6mr39/aYViV
  JqWrzAxNVPxBBMEH5kWqJKOOnDHZbnhxewu+xOn9frzjgiufZ0c/QijuAAAAoB2ieXodon
  l6AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS
  3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO
  4AAAAhAMUVkjhlzOP2PYfDu1TlIt5OrAAZvU3L+JxsueE92D8hAAAAAAECAwQFBgc=
  -----END OPENSSH PRIVATE KEY-----
serial: 2

As for the host certificate the certificate, private key, and public key should be placed in separate files, eg, ~/.ssh/id-cert.pub, ~/.ssh/id, and ~/.ssh/id.pub.

They can be used directly as arguments to ssh when connecting to a host, ie

ssh -i ~/.ssh/id $hostname

ssh will automatically look for a certificate named <id>-cert.pub. The certificate can also configured in the ssh config file, eg, ~/.ssh/config as

Host *.example.com
    IdentifyFile ~/.ssh/id
    CertificateFile ~/.ssh/id-cert.pub

Roles

The use of ssh CA roles is to limit which certificates can be issued. This is useful if, for example, a user or application should only be allowed to issue certificates for a certain host, or domain.