certificate authentication

The basic instructions are coming from How to Generate and Configure SSH Certificate-based Authentication

Information on using a yubikey for the CA can be found at https://gist.github.com/jamesog/b156c7a85e7f95046ca8b95f6f857f70

Complicated PKI stuff.

• blah blah host signing key pair

• user signing key pair

create the CA keypair

The first set will be for signing host keys.

• The rsa key type is not required, better keys work too

• -C host_ca is a comment, and I think that’s weak sauce.

• If rsa keys are used, make sure to use a bigger keysize like -b 4096

ssh-keygen -t ed25519 -f host_ca -C host_ca

And the pair for signing the user certs:

ssh-keygen -t ed25519 -f user_ca -C user_ca

create a host key and sign it

Generate the key with ssh-keygen:

ssh-keygen -f ssh_host_key -N '' -t ed25519

And finally sign it.

• -I hostname is the certificate’s identity, using the hostname makes management easier

• -n hostname is a comma-separated list of principals that will be valid, FQDN and/or short names that you’ll be using are the proper values

• -V +52w is the validity period, in thie case 52 weeks, if unset they will be valid forever

ssh-keygen -s host_ca -I host.wafflelab.online -h -n host.wafflelab.online,host -V +52w ssh_host_key.pub

Add the following to the server’s sshd_config and make sure to load the private key as well:

HostCertificate /etc/ssh/ssh_host_key-cert.pub
HostKey /etc/ssh/ssh_host_key

Warning

Using the Hostname option in your ssh config file for a host can cause a mismatch between the host and the principals. For instance, I have the IP address for a host in the Hostname field, so SSHing to the system’s hostname causes a mismatch. Commenting out that configuration option “fixes” the issue (as would adding the IP address to the principals).

check the host cert

Add the following to your known_hosts file to specify the public CA cert as one to use as a cert-authority:

@cert-authority HOSTNAME ssh-ed25519 ...

Change HOSTNAME to something that identifies the hosts that will use that CA.

create a user key and sign it

Generate the key as usual:

ssh-keygen -f USER-user-key -t ed25519

And sign it:

ssh-keygen -s user_ca -I USERNAME -n USERNAME -V +1d USER-user-key.pub

• -s user_ca is the key to sign with

• -I USERNAME is something to identify the key, a username or email address makes it easy

• -n USERNAME the accounts the user can use to login with

• -V 1d is the validity time, a short one is preferable

adjust the user’s config

CertificateFile and IdentityFile should be added to your .ssh/config file for the appropriate host. These will be passed to the server for authentication and verification.

CertificateFile ~/.ssh/id_ed25591-cert.pub
IdentityFile ~/.ssh/id_ed25519

check the options that a key was signed with

ssh-keygen -L -f USER-user-key.pub

add the user_ca.pub file to the server’s sshd_config

Add the following to the /etc/sshd_config:

TrustedUserCAKeys /etc/ssh/user_ca.pub

Of course, you’ll have to copy this CA file to the specified location.