When working with Linux there are multiple methods for authentication and one of the major methods is certificate based authentication. This is considered a more secure method than key based authentication since the certificates used for authentication can be set to expire at a given time.
We need a CA server for this requirement. A basic Linux server with ssh-keygen is all we require for this.
Creating the CA key pair.
- On the server you intend to use as a CA server create a new directory for the key pair
- mkdir /CA
- Create the CA key pair.
- cd /CA
- ssh-keygen -C CA -f name-for-key
- Two files will be created name-for-key and name-for-key.pub.
Signing the ssh-key
- Create ssh key for your user from your computer
- ssh-keygen -t ecdsa
- Copy the public key generated (/home/user/id_ecdsa.pub) to the CA server for signing
- On CA server run the following command
- ssh-keygen -s /CA/name-for-key -I id-for-key -n username -V validity-period(+52w for and year) -z serial-number(an integer) /home/user/id_ecdsa.pub
- Copy the newly created file /home/user/id_ecdsa-cert.pub to your computer
Configure SSH hosts for certificate authentication
- Copy /CA/name-for-key.pub to /etc/ssh in all hosts you connect with
- ssh-keygen -t ecdsa
- Add the following entries in /etc/ssh/sshd_config file
- PubkeyAuthentication yes
- TrustedUserCAKeys /etc/ssh/ca.pub
- Restart ssh service and try login with your key.
- If successful add the following line to your sshd_config to disable password authentication
- PasswordAuthentication no
