How to give temporary access with SSH using certificate authority?
I'll go over all steps necessary to provide temporary ssh access:
1. Create SSH User CA key pair
ssh-keygen -f <key-pair-name> -b 4096
This will create a private key, which will be used to sign user's public keys and a public key which will be placed and configured as Trusted CA key on the server side.
The private key must be stored in a secure location and protected with a strong passphrase.
2. Configuring a SSH Trust CA key on a server
a. Copy the CA public key in /etc/ssh/
directory and ensure it has proper ownership (user root, group root) and permissions (0600, no ACLs), like this:
-rw------- 1 root root 404 Jan 29 08:05 users_ca.pub
b. Add an entry in /etc/ssh/sshd_config
to enable the usage of the CA
# Allow access from signed keys TrustedUserCAKeys /etc/ssh/users_ca.pub
c. Validate SSH's configuration and if no errors displayed, restart the daemon
sudo /usr/sbin/sshd -t -f /etc/ssh/sshd_config
sudo service ssh reload
3. Signing user's key
a. Get the CA private key, which will be used to sign the user's public key
b. Obtain the public key of the user
c. Sign the public key:
ssh-keygen -s users_ca -I awesomeuser -n serveruser -V +1d userkey.pub
where ssh-keygen
switches used above are :
-s users_ca
- CA private key-I awesomeuser
- name of the user-n serveruser
- username for which the authentication is allowed- V +1d
- specify a validity interval when signing a certificate. A validity interval may consist of a single time, indicating that the certificate is valid beginning now and expiring at that time, or may consist of two times separated by a colon to indicate an explicit time interval. The start time may be specified as a date inYYYYMMDD
format, a time inYYYYMMDDHHMMSS
format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the TIME FORMATS section ofsshd_config
. The end time may be specified as aYYYYMMDD
date, aYYYYMMDDHHMMSS
time or a relative time starting with a plus character. For example:"+52w1d"
(valid from now to 52 weeks and one day from now),"-4w:+4w"
(valid from four weeks ago to four weeks from now),"20100101123000:20110101123000"
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),"-1d:20110101"
(valid from yesterday to midnight, January 1st, 2011).userkey.pub
- the user's public key
d. When a public key gets signed, a new public key with the name <old public key>-cert.pub
(in the example above the name with be userkey-cert.pub
) is generated.
Signed user key userkey-cert.pub: id "awesomeuser" serial 0 for serveruser valid from 2018-01-29T07:59:00 to 2018-01-30T08:00:53
e. The newly created public key must be returned to the user. Once he receives it, he will be able to access the server configured with the SSH CA.
This should do it for you.
Related videos on Youtube
![mitesh sharma](https://lh6.googleusercontent.com/-R62ocVRAcSM/AAAAAAAAAAI/AAAAAAAAH58/Banaz6B6SDo/photo.jpg?sz=256)
mitesh sharma
Updated on September 18, 2022Comments
-
mitesh sharma almost 2 years
I am trying to work on providing temporary access with SSH using certificate authority on aws EC2 instance, but not able to do it properly. Can you please help give guidance on how can this be acheived? Process followed mentioned below:
Step 1: Generate CA certificate on user's machine (currently doing for testing) : ssh-keygen -f ssh_ca Step 2: Generate user's ssh keys using (on users machine): ssh-keygen -f user_ssh_key Step 3: Generate CA approved public key using user's public key: ssh-keygen -s ssh_ca -I host_name -h -n host_name -V +1d user_ssh_key.pub , this gives user_ssh_key-cert.pub (Public key which is signed) Step 4: Copied ssh_ca.pub (CA pub key) and user_ssh_key ,user_ssh_key-cert.pub (user's pub and private key) on server where i have to do ssh. Step 5: Do sudo su, go to file: vim /etc/ssh/sshd_config, Add CA pub key using : TrustedUserCAKeys /etc/ssh/ssh_ca.pub, add host key using HostCertificate /etc/ssh/user_ssh_key-cert.pub and added private key using : HostKey /etc/ssh/user_ssh_key Step 6: Do /etc/init.d/sshd restart Step 7: Open file /etc/ssh/ssh_known_hosts, add @cert-authority * (Content of ssh_ca.pub, without any change) When i try to do ssh using : ssh host_name@IP_ADDRESS Getting this error during ssh which seems to be a issue : debug1: Found CA key in /etc/ssh/ssh_known_hosts:1 key_cert_check_authority: invalid certificate Certificate invalid: not a host certificate debug1: No matching CA found. Retry with plain key
Can anyone please help guide in this process, something small seems to went wrong which i am not able to figure out?
Currently i don't have dns name but IP address which i want to connect to.
Thanks in advance
-
mitesh sharma over 6 yearsThanks a lot for detailed reply. My question in above point: We have <old public key>-cert.pub key of user, where should we put it on server (where we want to login) and how to configure this (may be in file /etc/ssh/sshd_config)? I have generated <old public key>-cert.pub as per instructed, but not able to figure out how to tell this to server, so server uses it. Just missing this small part.
-
13dimitar over 6 years@miteshsharma once you sign the public key of the user, with the private key of the SSH CA, the user should be able to log in. This will happen if you have enabled the usage of SSH CA in
/etc/ssh/sshd_config
, you have placed the public key in the appropriate location with valid permissions and ownership. -
13dimitar over 6 yearsThat's 2-a: Copy the CA public key in /etc/ssh/ directory and ensure it has proper ownership (user root, group root) and permissions (0600, no ACLs), like this:
-rw------- 1 root root 404 Jan 29 08:05 users_ca.pub
-
mitesh sharma over 6 yearsyea thanks for that and what about <old public key>-cert.pub key? Plus nothing needs to be done on user side for CA public key (no need to put in on client side), right? Just confirming. Sorry for trouble.
-
mitesh sharma over 6 yearsOne thing missing here is to do sudo adduser 'principal' to add user on server, without it CA signed won't work.
-
13dimitar over 6 yearsIt depends actually, you may configure several people to login with a single user.
-
mitesh sharma over 6 yearsyea that's true so we need to create a specific user if we want to add him to our server which makes this step essential. Added it in answer, hope this is fine. What you think?
-
13dimitar over 6 yearsOr have them use an existing account