ssh certificate usage

Damien Miller djm at
Wed Apr 28 14:41:30 EST 2010

On Tue, 27 Apr 2010, Hans wrote:

> I am trying to find out how I can use the new self-signed certificates
> So what I read in the man pages, it should be something like:
> client:
> 1) ssh-keygen -f ca_rsa	  # generate a ssh keypair for use as a certificate
> Server(s):
> 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
> TrustedUserCAKeys  /etc/ssh/sshcakeys       # or whatever name or
> location you like
> 3) edit /etc/ssh/sshcakeys and add the contents of in it
> Client:
> 4) for a user generate a certificate of its public key
>   ssh-keygen -s ca_rsa -I keyid -n user
> This will generate an certificate file
> Client:
> 5) ssh user at server        # connect to server using the certificate
> Is this correct or did I miss something ?

That is it in a nutshell. You should specify a validity period for the
certificates in step #3. Since our revocation implementation is weak at
the moment, it is best to use short-lived certificates that are refreshed
frequently (and hopefully through an easy process for the user).

Also, if you want to try out certificates without touching sshd_config
(e.g. if you don't have superuser access), then you can specify trusted
CA keys on a per-user basis in authorized_keys using the "cert-authority"
key option:

cert-authority ssh-rsa AAA.....

> Is it also possible to disable the plain public key authentication and
> only accept certificate authentication (can't find an option for this
> in sshd_config)

You can set AuthorizedKeysFile to /dev/null, so sshd will never find
any regular keys there. This can be done on a per-user/group/address
basis using the Match keyword.

As you are probably aware, the certificate support is very new and I'd
love to hear any feedback or criticism you may have.


More information about the openssh-unix-dev mailing list