SSH server can authenticate user based on Certificates. This post describes the process to setup user authentication using Certificates.
Setting Up Certificate Authority Infrastructure
CA Machine
- Generate CA key (user_ca) for signing user ssh keys
root@CA:~# ssh-keygen -f user_ca Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in user_ca. Your public key has been saved in user_ca.pub. The key fingerprint is: b3:af:e8:ef:c4:5d:90:f8:be:16:99:74:f2:39:3a:3e root@CA The key's randomart image is: +---[RSA 2048]----+ | | | . . | | . o | | .o.. | | S..*.. | | . =+.+ | | + oo . | | o .E. | | .oo+++o | +-----------------+ root@CA:~# ls user_ca user_ca.pub
Server Machine
- Transfer and add CA public key (user_ca.pub) as Trusted Key in the ssh server machines and restart openssh server
# vi /etc/ssh/sshd_config TrustedUserCAKeys /etc/ssh/user_ca.pub
Authorizing SSH Users
Client Machine
- ssh key from user1 is generated (make sure to have a pass-phrase for the key, else it will be rejected during authentication)
user1@client1:~$ ssh-keygen -trsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: 6f:d0:27:36:69:80:e4:ad:0c:5c:f9:d9:d8:af:a9:8d user1@client1 The key's randomart image is: +---[RSA 2048]----+ | o. | | . +.o | | o o.o= | | o .+oo. | | o S B.. | | = +. | | oo | | +o | | E.. | +-----------------+
- ssh key transferred to CA to be signed with user_ca Private Key
user1@client1:~$ scp .ssh/id_rsa.pub root@CA:~/user1_id_rsa.pub root@ca's password: id_rsa.pub 100% 395 0.4KB/s 00:00
CA Machine
- User ssh public key signed by CA
ssh-keygen -s user_ca -I user_user1 -n user1 -V +52w user1_id_rsa.pub Signed user key user1_id_rsa-cert.pub: id "user_user1" serial 0 for user1 valid from 2014-12-30T16:18:00 to 2015-12-29T16:19:57
Client Machine
- ssh key transferred back to client after signing with user_ca Private Key
user1@client1:~$ scp root@CA:~/user1_id_rsa-cert.pub .ssh/id_rsa.pub root@ca's password:
Testing the result
Client Machine
- Once the above is completed user1 will be able to login to server1 without any password.
user1@client1:~$ ssh user1@server1 Enter passphrase for key '/home/user1/.ssh/id_rsa': Welcome to Ubuntu Vivid Vervet (development branch) (GNU/Linux 3.13.0-43-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. user1@server1:~$
Chandan Dutta Chowdhury 
Reblogged this on oogenhand.