SSH Certificates
SSH Certificates is a excellent way of managing ssh access when there are more than a few servers to coordinate access to. Using certificates has several advantages
-
It avoids the problem of adding and removing public ssh keys from the
authorized_keys
as users should be allowed and rejected access. -
It avoids the problem of adding the host keys to the
known_hosts
file of each user.
It also allows for more fine grained control over access since certificates can be issued with short lifetime.
Setting up ssh certificates consists of two parts, authenticate the host (server) to the user (client), and authenticate the user (client) to the host (server).
Create a SSH CA
First setup a ssh CA in strongbox and distribute it to all sites.
supctl create strongbox ssh ca <<EOF
name: remote-access
distribute:
to: all
EOF
Show the CA public key.
supctl show strongbox ssh ca remote-access
name: remote-access
key-type: ecdsa
key-curve: nistp256
public-key64: |
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIP2JW4t0RIRZfgJd1VGjWpGbSSy1yNtXSBmERhLx47R7rqQTFwaNq/WMAOmsbzMimJOKXCVZo1Son/vM2hiZMk= strongbox
serial: 0
A ssh CA is essentially a key pair. By default a ECDSA key using the curve nistp256 will be created.
The CA public key has two uses, it is used by the host to validate user certificates when a user attempts to connect through ssh. The public key is also used to identify the host by the client, in place of the public keys sent by the server.
On the host the CA key should be added to the sshd_config
file as TrustedUserCAKeys
, ie
TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
At the user the CA key should be added to the .ssh/known_hosts
file as @cert-authority <domain/host> <ca-pub-key>
, ie
@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrcy8daE4A9oMVbzu2QhE0dkjxC+JwlGvRV3h6F0GEu strongbox
Issue a host certificate
Now a certificate must be issued for each host. The certificates contains information about the host, ie host name, and a ttl for which it is valid.
supctl do strongbox ssh ca remote-access issue-cert --input - <<EOF
ttl: 1y
valid-principals: [ "h03", "192.168.0.1" ]
cert-type: host
EOF
ttl: 1y
valid-principals: [ "h03", "192.168.0.1" ]
cert-type: host
EOF
cert: |
ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgH7VixzkCdIBsl+rRobGZkRQgG1yqm1UHFrU4ue+/tYUAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhCdksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76QAAAAAAAAAAQAAAAIAAAAkdXNlcnBhc3MtYWRtaW5AdGhlYXRlci1vcGVyYXRpb24uY29tAAAAFgAAAANoMDMAAAALMTkyLjE2OC4wLjEAAAAAAAAAAAAAAABjZTUwAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEEg/Ylbi3REhFl+Al3VUaNakZtJLLXI21dIGYRGEvHjtHuupBMXBo2r9YwA6axvMyKYk4pcJVmjVKif+8zaGJkyQAAAGMAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEgAAAAgFMN7kXE2bWY3UfSuIgavL1yWISj6gYJK6KSbWUlgw84AAAAgfXGfU4q+bJ5qO/1f1sK2AyY/Q45N01XC3dZ6vycSuEI= userpass-admin@theater-operation.com
public-key: |
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhCdksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76Q= h03
private-key: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQnYw7hzVj6ZC8oQnZLKCzZe64CcTpc
kscX7ONqMZg+rG8J205k4le6bhQm51i5wwNdTsSwwUmG9kfRJcTs8u+kAAAAoG6SJrNuki
azAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdjDuHNWPpkLyhC
dksoLNl7rgJxOlySxxfs42oxmD6sbwnbTmTiV7puFCbnWLnDA11OxLDBSYb2R9ElxOzy76
QAAAAgZep4eUl1HlDa56bv0Eg5N0T7+tNBoXRV42Os+PXdPD8AAAAAAQIDBAUGBwg=
-----END OPENSSH PRIVATE KEY-----
serial: 1
The certificate should be placed in a file, eg,
/etc/ssh/ssh_host_key-cert.pub
, the private key in another file, eg,
/etc/ssh/ssh_host_key
, and the public key in yet another file, eg.
/etc/ssh/ssh_host_key.pub
.
The ssh daemon should be configured to use these files, eg by adding
the following to the sshd_config
file.
HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub
Issue a user certificate
User certificates should be issued for users that should be able to access the system. It is recommended that they are short lived, ie, have a short ttl. That way they do not have to be revoked and should they go astray it is not a huge problem.
To issue a user certificate
supctl do strongbox ssh ca remote-access issue-cert --input - <<EOF
ttl: 1h
valid-principals: [ "joe" ]
cert-type: user
extensions: [ "permit-pty", "permit-X11-forwarding" ]
EOF
ttl: 1h
valid-principals: [ "joe" ]
cert-type: user
extensions: [ "permit-pty", "permit-X11-forwarding" ]
EOF
cert: |
ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg/vIHEvwcgmujp/3IlfjV90UH3HsvHIiobhG41Zj90ZcAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO4AAAAAAAAAAgAAAAEAAAAkdXNlcnBhc3MtYWRtaW5AdGhlYXRlci1vcGVyYXRpb24uY29tAAAABwAAAANqb2UAAAAAAAAAAAAAAABhhBBwAAAAAAAAAC8AAAAKcGVybWl0LXB0eQAAAAAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIP2JW4t0RIRZfgJd1VGjWpGbSSy1yNtXSBmERhLx47R7rqQTFwaNq/WMAOmsbzMimJOKXCVZo1Son/vM2hiZMkAAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIQCpbekqo4jMMCM0/XSIKRebj+nWuGgyTVjMMPbmBXQxGQAAACBtsWBdOYmRsiTao+nXO3zOlUotjNBvBsZbTuyrPJLAJw== userpass-admin@theater-operation.com
public-key: |
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO4= joe
private-key: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQ36XVcP5YlIMChUt5ma6mr39/aYViV
JqWrzAxNVPxBBMEH5kWqJKOOnDHZbnhxewu+xOn9frzjgiufZ0c/QijuAAAAoB2ieXodon
l6AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDfpdVw/liUgwKFS
3mZrqavf39phWJUmpavMDE1U/EEEwQfmRaoko46cMdlueHF7C77E6f1+vOOCK59nRz9CKO
4AAAAhAMUVkjhlzOP2PYfDu1TlIt5OrAAZvU3L+JxsueE92D8hAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
serial: 2
As for the host certificate the certificate, private key, and public
key should be placed in separate files, eg, ~/.ssh/id-cert.pub
,
~/.ssh/id
, and ~/.ssh/id.pub
.
They can be used directly as arguments to ssh when connecting to a host, ie
ssh -i ~/.ssh/id $hostname
ssh will automatically look for a certificate named <id>-cert.pub
.
The certificate can also configured in the ssh config file, eg,
~/.ssh/config
as
Host *.example.com
IdentifyFile ~/.ssh/id
CertificateFile ~/.ssh/id-cert.pub
Roles
The use of ssh CA roles is to limit which certificates can be issued. This is useful if, for example, a user or application should only be allowed to issue certificates for a certain host, or domain.