certificate authentication

The basic instructions are coming from How to Generate and Configure SSH Certificate-based Authentication

Information on using a yubikey for the CA can be found at https://gist.github.com/jamesog/b156c7a85e7f95046ca8b95f6f857f70

Complicated PKI stuff.

  • blah blah host signing key pair

  • user signing key pair

create the CA keypair

The first set will be for signing host keys.

  • The rsa key type is not required, better keys work too

  • -C host_ca is a comment, and I think that’s weak sauce.

  • If rsa keys are used, make sure to use a bigger keysize like -b 4096

ssh-keygen -t ed25519 -f host_ca -C host_ca

And the pair for signing the user certs:

ssh-keygen -t ed25519 -f user_ca -C user_ca

create a host key and sign it

Generate the key with ssh-keygen:

ssh-keygen -f ssh_host_key -N '' -t ed25519

And finally sign it.

  • -I hostname is the certificate’s identity, using the hostname makes management easier

  • -n hostname is a comma-separated list of principals that will be valid, FQDN and/or short names that you’ll be using are the proper values

  • -V +52w is the validity period, in thie case 52 weeks, if unset they will be valid forever

ssh-keygen -s host_ca -I host.wafflelab.online -h -n host.wafflelab.online,host -V +52w ssh_host_key.pub

Add the following to the server’s sshd_config and make sure to load the private key as well:

HostCertificate /etc/ssh/ssh_host_key.pub
HostKey /etc/ssh/ssh_host_key

Warning

Using the Hostname option in your ssh config file for a host can cause a mismatch between the host and the principals. For instance, I have the IP address for a host in the Hostname field, so SSHing to the system’s hostname causes a mismatch. Commenting out that configuration option “fixes” the issue (as would adding the IP address to the principals).

create a user key and sign it

Generate the key as usual:

ssh-keygen -f USER-user-key -t ed25519

And sign it:

ssh-keygen -s user_ca -I USERNAME -n USERNAME -V +1d USER-user-key.pub

  • -s user_ca is the key to sign with

  • -I USERNAME is something to identify the key, a username or email address makes it easy

  • -n USERNAME the accounts the user can use to login with

  • -V 1d is the validity time, a short one is preferable

check the options that a key was signed with

ssh-keygen -L -f USER-user-key.pub

add the user_ca.pub file to the server’s sshd_config

Add the following to the /etc/sshd_config:

TrustedUserCAKeys /etc/ssh/user_ca.pub

Of course, you’ll have to copy that file to that location.