Tuesday, May 25, 2021

SSH Certificate Based Authentication

When working with Linux there are multiple methods for authentication and one of the major methods is certificate based authentication. This is considered a more secure method than key based authentication since the certificates used for authentication can be set to expire at a given time.

We need a CA server for this requirement. A basic Linux server with ssh-keygen is all we require for this.

Creating the CA key pair. 

  1. On the server you intend to use as a CA server create a new directory for the key pair
    • mkdir /CA
  2.  Create the CA key pair.
    • cd /CA
    • ssh-keygen -C CA -f name-for-key
  3.  Two files will be created name-for-key and name-for-key.pub. 

Signing the ssh-key

  1. Create ssh key for your user from your computer
    • ssh-keygen -t ecdsa
  2. Copy the public key generated (/home/user/id_ecdsa.pub) to the CA server for signing  
  3. On CA server run the following command
    • ssh-keygen -s /CA/name-for-key -I id-for-key -n username -V validity-period(+52w for and year) -z serial-number(an integer) /home/user/id_ecdsa.pub 
  4. Copy the newly created file /home/user/id_ecdsa-cert.pub to your computer  

Configure SSH hosts for certificate authentication 

 
  1. Copy /CA/name-for-key.pub to /etc/ssh in all hosts you connect with
    • ssh-keygen -t ecdsa
  2. Add the following entries in /etc/ssh/sshd_config file
    • PubkeyAuthentication yes
    • TrustedUserCAKeys /etc/ssh/ca.pub
  3. Restart ssh service and try login with your key.
  4. If successful add the following line to your sshd_config to disable password authentication
    •   PasswordAuthentication no