ssh certificate usage

[Damien Miller]

On Tue, 27 Apr 2010, Hans wrote:

> I am trying to find out how I can use the new self-signed certificates
> So what I read in the man pages, it should be something like:
> 
> client:
> 1) ssh-keygen -f ca_rsa	  # generate a ssh keypair for use as a certificate
> 
> Server(s):
> 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
> TrustedUserCAKeys  /etc/ssh/sshcakeys       # or whatever name or
> location you like
> 
> 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it
> 
> Client:
> 4) for a user generate a certificate of its public key
>   ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
> This will generate an id_rsa-cert.pub certificate file
> 
> Client:
> 5) ssh user at server        # connect to server using the certificate
> 
> Is this correct or did I miss something ?

That is it in a nutshell. You should specify a validity period for the
certificates in step #3. Since our revocation implementation is weak at
the moment, it is best to use short-lived certificates that are refreshed
frequently (and hopefully through an easy process for the user).

Also, if you want to try out certificates without touching sshd_config
(e.g. if you don't have superuser access), then you can specify trusted
CA keys on a per-user basis in authorized_keys using the "cert-authority"
key option:

cert-authority ssh-rsa AAA.....

> Is it also possible to disable the plain public key authentication and
> only accept certificate authentication (can't find an option for this
> in sshd_config)

You can set AuthorizedKeysFile to /dev/null, so sshd will never find
any regular keys there. This can be done on a per-user/group/address
basis using the Match keyword.

As you are probably aware, the certificate support is very new and I'd
love to hear any feedback or criticism you may have.

-d