Certificates with OpenSSH¶

Howto setup and use certificates with OpenSSH for host keys.

Setup CA¶

Create the CA keypair

$ mkdir SSH-CA
$ cd !$
$ ssh-keygen -t rsa -b 4096 -C ca_key-example.com # name the output keyfile ca_key-example.com_rsa, and choose a very good pass-phrase :-)

Sign server .pub keys at the CA¶

Fetch the /etc/ssh/ssh_host_rsa_key.pub files from each server and rename them to <hostname>_rsa_key.pub to reflect the system name (e.g. sys1_rsa_key.pub)

Validate finger-print of server public key

$ ssh-keygen -l -f ./sys1_rsa_key.pub

Sign the server pub key with the ca_rsa key, limit the validity to the servers FQDN (-n flag).

$ ssh-keygen -s ca_key-example.com_rsa -I sys1 -n sys1.example.com -h sys1_rsa_key.pub

Output will be the certificate <hostname>_rsa_key-cert.pub (e.g. sys1_rsa_key-cert.pub)

Add CA certs to servers¶

Store the certificate in /etc/ssh/ on the corresponding server and add the following in /etc/ssh/sshd_config

# CA cert for host
HostCertificate /etc/ssh/<hostname>_rsa_key-cert.pub

Then reload the server config

$ sudo /etc/init.d/ssh reload

Client Config¶

Two options are available, depending if you are root on the client or not.

1. System wide ssh client config¶

Add public key of CA to /etc/ssh/ssh_known_hosts prepending '@cert-authority *'

Example

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3.......== ca_key-example.com

Make sure the ssh_known_hosts file is readable by all but only writable by root.

2. Per user config¶

Add public key of CA to /home/<user>/.ssh/known_hosts prepending '@cert-authority *'

Example

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3a.......== ca_key-example.com