[email protected], Philip Hands <[email protected]>
:Bug#99785
; Package ssh
.(full text, mbox, link).Kai Henningsen <[email protected]>
:Philip Hands <[email protected]>
.(full text, mbox, link).Kai Henningsen <[email protected]>
to [email protected]
. (full text, mbox, link).Marvin Stark <[email protected]>
:Colin Watson <[email protected]>
to [email protected]
. (full text, mbox, link).[email protected], [email protected], Debian OpenSSH Maintainers <[email protected]>
:Bug#99785
; Package ssh
.(full text, mbox, link).Mattia Monga <[email protected]>
:[email protected], Debian OpenSSH Maintainers <[email protected]>
.(full text, mbox, link).Colin Watson <[email protected]>
to [email protected]
. (Mon, 04 Jan 2010 02:18:07 GMT) (full text, mbox, link).Colin Watson <[email protected]>
to [email protected]
. (Mon, 04 Jan 2010 02:18:08 GMT) (full text, mbox, link).Colin Watson <[email protected]>
to [email protected]
. (Mon, 04 Jan 2010 02:18:08 GMT) (full text, mbox, link).Colin Watson <[email protected]>
to [email protected]
. (Mon, 04 Jan 2010 02:18:08 GMT) (full text, mbox, link).Colin Watson <[email protected]>
to [email protected]
. (Mon, 04 Jan 2010 02:18:08 GMT) (full text, mbox, link).[email protected], Debian OpenSSH Maintainers <[email protected]>
:Bug#99785
; Package openssh-client
. (Mon, 19 Jul 2010 16:21:02 GMT) (full text, mbox, link).Matt Keys <[email protected]>
:Debian OpenSSH Maintainers <[email protected]>
. (Mon, 19 Jul 2010 16:21:03 GMT) (full text, mbox, link).Colin Watson <[email protected]>
:Kai Henningsen <[email protected]>
:Colin Watson <[email protected]>
:'Trent W. Buck' <[email protected]>
:Debbugs Internal Request <[email protected]>
to [email protected]
. (Thu, 06 Jun 2013 07:28:04 GMT) (full text, mbox, link).authorised_keys
files across your estate to ensure all public keys were still valid? That contractor that needed access for a week….who remembered to remove their key?…and so on.Certificate Authority (CA) Server | Host Server(s) | Client(s) |
---|---|---|
Host Server Certificate Configuration | ||
This is the server typically managed by a security team. The root CA private keys are held on this server and should be protected. If these keys are compromised it will be necessary to Revoke & Rotate/Recreate ALL Certificates!! | These are the servers that are being built or reprovisioned. The Host CA Signed Certificate is used to prove Host Authenticity to clients. It is sent to the ssh client during the initial handshake when a ssh client attempts to login. | The user laptop or server that’s runing the ssh client. The Client CA Signed Certificate is used to prove Client Authenticity to the Host Server |
Step 1. Create HOST CA signing keys : Example ssh-keygen -t rsa -N ' -C HOST-CA -b 4096 -f host-ca | Step 2. Let’s generate a fresh set of ssh RSA HOST keys with 4096 bits. Typically the keys are generated by default when openssh-server is installed but it uses 2048 bits. You need to do this when cloning VMs too if you need unique authenticity : Example sudo ssh-keygen -N ' -C HOST-KEY -t rsa -b 4096 -h -f /etc/ssh/ssh_host_rsa_key | |
Step 3. Copy the PUBLIC key, user@target-host:/etc/ssh/ssh_host_rsa_key.pub , created in Step 2. on the host server to the CA server: Example scp [email protected]:/etc/ssh/ssh_host_rsa_key.pub . | ||
Step 4. Create the CA signed Host Certificate for the target host using the CA-HOST private key, host-ca , created in Step 1. , and the host server’s public key, ssh_host_rsa_key.pub , retrieved in Step 3 : Example ssh-keygen -s ./host-ca -I dev_host_server -h -V -5m:+52w ssh_host_rsa_key.pub | ||
Step 5. Copy the HOST Certificate, ssh_host_rsa_key-cert.pub , created in Step 4. , back onto the host server : Example scp ssh_host_rsa_key-cert.pub [email protected]:/etc/ssh/ssh_host_rsa_key-cert.pub | ||
Step 6. Remove the now obsolete host public key and host cert from the CA server: Example rm ssh_host_rsa_key-cert.pub ssh_host_rsa_key.pub | ||
Step 7. Configure the Host Server to use the new certificate file,/etc/ssh/ssh_host_rsa_key-cert.pub , within ssh server conf, /etc/ssh/sshd_config , by adding the following line HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub . Now restart the ssh service. Example grep -qxF 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' /etc/ssh/sshd_config || echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' | sudo tee -a /etc/ssh/sshd_config followed by sudo systemctl restart ssh | ||
Step 8. Capture the contents of the CA-HOST PUBLIC key, host-ca.pub , as this will be needed to configure the ssh clients. Example cat host-ca.pub | Step 9. Now we need to configure the ssh clients to be able to validate the Host Certificates using the CA-HOST PUBLIC key, host-ca.pub , created in Step 1. by adding it to the individual user’s ~/.ssh/known_hosts Example grep -qxF '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFmZo/bkvhmUEjx3erXC+rZ1R3htLHtz0VzZNpgQD2sT2KZLW3yBiKYIKgxICM04MQsVHY1k5y4ek/tgnw05m5KOO5KTHxxKjcBKf2EyvwG0o8vnzo6UgweqXEePigAzSGQfcsGp75tVu3qmeLKXtJOo1WaWmTSNH4Qoq89xRiPslCVDi1i2VEPxJi3+eeFL5WO+nBK9Xt28DaXY4B43sgC1KC6DSRUR2JhlgPGMKP2eTE5+UaEldyPVzdIl2j3tLsaURfr+cZ6ryPEE9phT1bjcOSC3A88NrROZH1FvpZpG6NQPXusTWjre/NIz2TdG44AopbFRKAEpMVFw67AJ6oDWHPTrh2TGh3SQEIIZTdhudZIHnwiSBuKUOqyV65KH/mmy5gr8X2miHbM+qh6ISjqwPN6TjAhUPgkjxtwa7K+tDseBoFsrRIgP65hHAIlEFodHUI8Lu3P5HswH39z8ouEDR+qU54z9JO/E0Mw9YQPk19A6jr7o9/06wqSXfkVmS1VwvyZI90Zqrtg4+lZ3Zq/GLDqpxTlakfEAddOd9Ns01GgeSab4mKDwB6r2VTsunXQ4DDJkzxm9ioJmX7Ctv9J50Hqqcv+kiM8jJHrsB4IIrc0Cc/qb08YAo//i44JTuPxs2+FS2ifDmQA+TK5fJxwUIQJ6KDQ+0wB+T6yeYMJw HOST-CA' ~/.ssh/known_hosts || echo '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFmZo/bkvhmUEjx3erXC+rZ1R3htLHtz0VzZNpgQD2sT2KZLW3yBiKYIKgxICM04MQsVHY1k5y4ek/tgnw05m5KOO5KTHxxKjcBKf2EyvwG0o8vnzo6UgweqXEePigAzSGQfcsGp75tVu3qmeLKXtJOo1WaWmTSNH4Qoq89xRiPslCVDi1i2VEPxJi3+eeFL5WO+nBK9Xt28DaXY4B43sgC1KC6DSRUR2JhlgPGMKP2eTE5+UaEldyPVzdIl2j3tLsaURfr+cZ6ryPEE9phT1bjcOSC3A88NrROZH1FvpZpG6NQPXusTWjre/NIz2TdG44AopbFRKAEpMVFw67AJ6oDWHPTrh2TGh3SQEIIZTdhudZIHnwiSBuKUOqyV65KH/mmy5gr8X2miHbM+qh6ISjqwPN6TjAhUPgkjxtwa7K+tDseBoFsrRIgP65hHAIlEFodHUI8Lu3P5HswH39z8ouEDR+qU54z9JO/E0Mw9YQPk19A6jr7o9/06wqSXfkVmS1VwvyZI90Zqrtg4+lZ3Zq/GLDqpxTlakfEAddOd9Ns01GgeSab4mKDwB6r2VTsunXQ4DDJkzxm9ioJmX7Ctv9J50Hqqcv+kiM8jJHrsB4IIrc0Cc/qb08YAo//i44JTuPxs2+FS2ifDmQA+TK5fJxwUIQJ6KDQ+0wB+T6yeYMJw HOST-CA' | tee -a ~/.ssh/known_hosts | |
Client Certificate Configuration | ||
Step 10. Create Client CA signing keys : Example ssh-keygen -t rsa -N ' -C CLIENT-CA -b 4096 -f client-ca | ||
Step 11. Copy the public Client CA signing key, client-ca.pub , created in Step 10. to the target host servers (NOT the client servers) Example scp client-ca.pub root@host:/etc/ssh/client-ca.pub | Step 12. Configure the Host Server to use the new Client CA file, client-ca.pub , within ssh server conf, /etc/ssh/sshd_config , by adding the following line TrustedUserCAKeys /etc/ssh/client-ca.pub . Then restart the ssh service. Example grep -qxF 'TrustedUserCAKeys /etc/ssh/client-ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/client-ca.pub' | sudo tee -a /etc/ssh/sshd_config followed by sudo systemctl restart ssh | |
Step 13. Copy, fax, email or however the client(s) public ssh key, /home/someuser/.ssh/id_rsa.pub , to the CA server and sign the key as follows: Example ssh-keygen -s client-ca -I graham-dev -n root,vagrant,graham,pi -V -5:+52w -z 1 ~/.ssh/id_rsa.pub | Step 14. Copy, fax, email or however the client(s) new ssh certificate, id_rsa-cert.pub , back to the clients /home/someuser/.ssh directory and test as follows: ssh -v [email protected] |
-N
if you want to include a passphrase with the key generation-t
type can be dsa
, rsa
, ecdsa
or ed25519
. I choose rsa as it’s widely accepted everywhere though less secure.-b
key size of 4096 bits to delay brute force attacks – all bets are off when we have qbit mobile phones ?-V
from 5 minutes ago for the next 30 days -5m:+30d
. Ideally keep this as short as possible – for my dev/play environment security is not a real concern – 30 days is fine.