Logging in with SSH certificates

Suppose you want to provide ssh access to a server or machine without having to change the server configuration for each new user that requires acces, there is a very nice feature in ssh called "SSH Certificates". This blogpost explains a simple setup to get you started.

Creating the Certificate authority

First, create an SSH Certificate keypair. This is a regular public/private key like always, but not used as your default identity (preferably). You can do this on the server, but it is safer to keep this keypair on a separate machine. Keep the private key safe, and give it a strong password:

$ ssh-keygen -b 4096 -t rsa -f ca_rsa -C "CA key for example.com"

This will generate the file ca_rsa and ca_rsa.pub.

Adding the Certificate authority to the server

From the certificate authority keypair you just created, take the public key and add the contents of the ca_rsa.pub file to the ~/.ssh/authorized_keys file of the user account you want to provide access to. Prefix the line with "cert-authority", like so:

cert-authority ssh-rsa AAAAB[...]Z04e8c CA key for example.com

You can have multiple lines in the authorized keys if you want, so you can have several SSH Certificates. This enables you to give multiple people the power to sign client keys for scalability.

Signing a client key

To give a client/user access to the account, ask for his public ssh key and sign it. If the user does not yet have a personal keypair, he can create that with

$ ssh-keygen -b 4096 -t rsa -C "John Doe"

This will produce an ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub file on the user's machine. Ask for the public key, take that the Certificate authority machine and sign the public key:

$ ssh-keygen -s ca_rsa -I "John Doe" id_rsa.pub

This will produce an id_rsa-cert.pub file. This file needs to be sent back to the user, and needs to be stored in the ~/.ssh folder. If there is already a file with this name, the contents can be appended.

Signing in

After all the setup above, the user should be able to connect to the server by just issuing

$ ssh <servername>

The ssh client will negotiate public/private keypair authentication, and if there is a signature file it will be provided to the server. The server checks the validity of the signature and if it looks ok, it will provice access to the user.

Who signed in and when?

A standard sshd configuration will log all authentication attempts to /var/log/auth. When a user logs in with a signed public key, the authentication log will list the certificate and the name of the user as provided when signing the key. This way you will be able to tell who logged in, and when.

But wait, there is more!

This whole mechanism will enable Raspberry Pi hobbyists with a pretty powerful way to provice access to remote machines without having to add all users to all machines. The SSH Certificate mechanism has more powers than this, please check revocation lists and other cool stuff at ef.gy

Enjoy!