SSH Trusted CA Key

It is now possible in openssh to authentic using trusted certificate authority keys. You can sign a key using a CA key. On the server side the CA key resides. Any key signed by the CA key will be authenticated. This is different from a user generating their own public and private keys (the typical key based scheme for ssh authentication). The mechanics of making it work can be found here.

From the previous link:

1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
location you like

3) edit /etc/ssh/sshcakeys and add the contents of in it

4) for a user generate a certificate of its public key
ssh-keygen -s ca_rsa -I keyid -n user
This will generate an certificate file

5) ssh user [at] serve # connect to server using the certificate
This entry was posted in Geek, Tips. Bookmark the permalink.

3 Responses to SSH Trusted CA Key

  1. Dave says:

    Greg –

    reading through your document, it seems pretty straightforward. BUT – I don’t understand the

    (-I keyid) I assume that is a variable I generate. How and where do I generate this key_id?


  2. Dave says:

    Coolio – Once I work up a good walk through I’ll share.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s