Certificate Based SSH User Authentication

SSH server can authenticate user based on Certificates. This post describes the process to setup user authentication using Certificates.


Setting Up Certificate Authority Infrastructure


SSHCert1

CA Machine

  • Generate CA key (user_ca) for signing user ssh keys

root@CA:~# ssh-keygen -f user_ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in user_ca.
Your public key has been saved in user_ca.pub.
The key fingerprint is:
b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e root@CA
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|         . .     |
|        . o      |
|         .o..    |
|        S..*..   |
|       . =+.+    |
|        + oo .   |
|       o .E.     |
|     .oo+++o     |
+-----------------+
root@CA:~# ls
user_ca  user_ca.pub

Server Machine

  • Transfer and add CA public key (user_ca.pub) as Trusted Key in the ssh server machines and restart openssh server

# vi /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/user_ca.pub


Authorizing SSH Users


SSHCert2

Client Machine

  • ssh key from user1 is generated (make sure to have a pass-phrase for the key, else it will be rejected during authentication)

user1@client1:~$ ssh-keygen -trsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The key fingerprint is:
6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d user1@client1
The key's randomart image is:
+---[RSA 2048]----+
|      o.         |
|   . +.o         |
|    o o.o=       |
|     o .+oo.     |
|      o S B..    |
|         = +.    |
|          oo     |
|         +o      |
|        E..      |
+-----------------+

  • ssh key transferred to CA to be signed with user_ca Private Key

user1@client1:~$ scp .ssh/id_rsa.pub root@CA:~/user1_id_rsa.pub
root@ca's password:
id_rsa.pub                                                                                                                               100%  395     0.4KB/s   00:00    

CA Machine

  • User ssh public key signed by CA

ssh-keygen -s user_ca -I user_user1 -n user1 -V +52w user1_id_rsa.pub
Signed user key user1_id_rsa-cert.pub: id "user_user1" serial 0 for user1 valid from 2014-12-30T16:18:00 to 2015-12-29T16:19:57

Client Machine

  • ssh key transferred back to client after signing with user_ca Private Key

user1@client1:~$ scp root@CA:~/user1_id_rsa-cert.pub .ssh/id_rsa.pub
root@ca's password: 


Testing the result


Client Machine

  • Once the above is completed user1 will be able to login to server1 without any password.
user1@client1:~$ ssh user1@server1
Enter passphrase for key '/home/user1/.ssh/id_rsa':
Welcome to Ubuntu Vivid Vervet (development branch) (GNU/Linux 3.13.0-43-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

user1@server1:~$

REF: http://blog.habets.pp.se/2011/07/OpenSSH-certificates

Advertisements

Published by

Chandan Dutta Chowdhury

Software Engineer

One thought on “Certificate Based SSH User Authentication”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s