SSH certificates

Public key authentication without certificates

The authenticity of host 'xxx' can't be established.
RSA key fingerprint is SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw.
Are you sure you want to continue connecting (yes/no)?

How certificates change the process

Certificate authentication in practice

Prequisite

ssh-keygen -f CA

Host certificates

Host certificates step 1: Sign host keys and create host certificates

ssh-keygen -h -s CA -n LIST-OF-PRINCIPALS -I ID -V +52w KEYFILE.pub

Host certificates step 2: Configure sshd

HostCertificate /etc/ssh/KEYFILE-cert.pub

Host certificates step 3: Tell Clients to trust the Trusted Server

ceres.example.com ssh-rsa AAAAB3Nza...
@cert-authority LIST-OF-SERVERS ssh-rsa AAAAB3Nza...

Host certificate test

The authenticity of host 'odroid (192.168.1.16)' can't be established.
RSA key fingerprint is SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw.
Are you sure you want to continue connecting (yes/no)?

User certificates

User certificate step 1: Sign the user’s public key

ssh-keygen -s CA -I ID -n USERNAME -V +52w KEYFILE.pub

User certificate step 2: Install the CA’s public key

User certificate step 3: Tell sshd where to find the CA’s public key

TrustedUserCAKeys /etc/ssh/CA.pub

User certificate test

Accepted publickey for bbausch from 192.168.1.51 port 39498 ssh2: RSA-CERT ID odin-bbausch (serial 0) CA RSA SHA256:BmLWnPGoPg2Edyk2NsZGQ62lm7Cae6j5bOj3uKvXzcs

Remarks and tips

Update Nov 29, 2020: RSA key signing deprecated

CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2–512,rsa-sha2–256,ssh-rsa
ssh -oCASignatureAlgorithms=ssh-rsa user@server

Further reading

--

--

--

Open-Source and Cloud enthusiast. IT training for IT professionals. Special interests: OpenStack and Kubernetes.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ransomware: Hunting for Inhibiting System Backup or Recovery

Vulnerability affecting some versions of centreon.

Research Results On Phishing Domains for COVID-19 Treatment Drugs

Redirect to my Mirror Blog

MOREKTZ

Router Exploit On An Unrooted Device

CyberVein Weekly Report

Crypto Bites W39 (Sept. 25, 2020)

Unido Pre-TGE Announcement

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bernd Bausch

Bernd Bausch

Open-Source and Cloud enthusiast. IT training for IT professionals. Special interests: OpenStack and Kubernetes.

More from Medium

Undefeatable Monster

Containers In Kubernetes — Day 10

Log Analysis-Sysmon — BTLO, WriteUp

Learning more about “Threat Hunting”