ssh certificate usage

Iain Morgan imorgan at nas.nasa.gov
Wed Apr 28 07:51:34 EST 2010


On Tue, Apr 27, 2010 at 13:49:19 -0500, Hans wrote:
> I am trying to find out how I can use the new self-signed certificates
> So what I read in the man pages, it should be something like:
> 
> client:
> 1) ssh-keygen -f ca_rsa	  # generate a ssh keypair for use as a certificate
> 
> Server(s):
> 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
> TrustedUserCAKeys  /etc/ssh/sshcakeys       # or whatever name or
> location you like

TrustedUserCAKeys is really intended for specifying system-wide CA keys
such as you would use if your organization were generating certs for
users. For user-generated certs, you would simply add the appropriate
entry to the user's ~/.ssh/authorized_keys file on the servers.

Note that using TrustedUserCAKeys also impacts how the user certificate
is generated. If you use TrustedUserCAKeys, the certificates MUST have a
principal specified.

> 
> 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it
> 
> Client:
> 4) for a user generate a certificate of its public key
>   ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
> This will generate an id_rsa-cert.pub certificate file
> 
> Client:
> 5) ssh user at server        # connect to server using the certificate
> 
> Is this correct or did I miss something ?

Other than the comment above regarding the use of TrustedUserCAKeys,
this looks reasonable. Note that with user-generated certs, the CA
should really be listed in the user's ~/.ssh/authorized_keys file and
should have the 'cert-authority' tag.

> 
> Is it also possible to disable the plain public key authentication and
> only accept certificate authentication (can't find an option for this
> in sshd_config)

Since certificate-based authentication is really just an extension to
classic public-key authentication, you can't turn off public-key auth
without also turning off certificate support.

However, if you are using a centralized CA (and thus TrustedUserCAKeys),
you could effectively disable classic pubkey auth by specifying a
different path for the authorized_keys file, i.e.:

	AuthorizedKeysFile	/dev/null

or

	AuthorizedKeysFile	/etc/ssh/authorized_keys/%u

The latter would make it possible to have exceptions to the general
case.

> 
> thx
> 
> Hans
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list