SSH Trusted CA Key

It is now possible in openssh to authentic using trusted certificate authority keys. You can sign a key using a CA key. On the server side the CA key resides. Any key signed by the CA key will be authenticated. This is different from a user generating their own public and private keys (the typical key based scheme for ssh authentication). The mechanics of making it work can be found here.

From the previous link:

client:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

Server(s):
2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or
location you like

3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it

Client:
4) for a user generate a certificate of its public key
ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub
This will generate an id_rsa-cert.pub certificate file

Client:
5) ssh user [at] serve # connect to server using the certificate
Advertisements
This entry was posted in Geek, Tips. Bookmark the permalink.

3 Responses to SSH Trusted CA Key

  1. Dave says:

    Greg –

    reading through your document, it seems pretty straightforward. BUT – I don’t understand the

    (-I keyid) I assume that is a variable I generate. How and where do I generate this key_id?

    Dave

  2. Dave says:

    Coolio – Once I work up a good walk through I’ll share.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s