Getting Started
Getting started with sshcert
and configuring your server to accept SSH certificates is easy.
Installing the sshcert
cli requires the go programing language is installed.
go install github.com/ejcx/sshcert/cmd/sshcert
If this step is successful, the sshcert cli should be installed in to $GOPATH/bin
.
To generate an SSH certificate authority us the ca-create
subcommand. This will write an ssh certificate private and public key to your current working directory.
~ e :) sshcert ca-create
Wrote public key file to dbb3d292125cfe0a72a9af2e6201b91b.pub
Wrote private key file to dbb3d292125cfe0a72a9af2e6201b91b
This requires a few steps. First, transfer the public key to the server. In this example step, dbb3d292125cfe0a72a9af2e6201b91b.pub
is the public key. You can do this any number of ways.
~# echo 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q5sGjn0VFg6Q8oF+LeB0dXCsQtzQvLTdAC8iIPHsNQ1ReXrAQMQHlLCM50tP0pqoJL7FlYFc70JNLOmdXeTM= open-ssh-ca@ejj.io' > /etc/ssh/ca.pub
Second, add the following entry to your ssh config to tell your ssh server to trust this public key.
TrustedUserCAKeys /etc/ssh/ca.pub
Finally, restart your ssh server:
~# /etc/init.d/ssh restart
Create a new SSH user that will be accessed with certificates signed by the CA. This is done using the adduser
command. I used my name evan, but you can make this anything you would like:
~# adduser --disabled-password --gecos "" evan
Adding user `evan' ...
Adding new group `evan' (1002) ...
Adding new user `evan' (1002) with group `evan' ...
Creating home directory `/home/evan' ...
Copying files from `/etc/skel' ...
On your local machine that the SSH CA public private keypair exists, make a new ssh keypair. This can be done using the ssh-keygen
commamd. Note, sshcert
only supports signing ecdsa keys.:
~ e :) ssh-keygen -t ecdsa -N '' -f examplekey
Generating public/private ecdsa key pair.
Your identification has been saved in examplekey.
Your public key has been saved in examplekey.pub.
The key fingerprint is:
SHA256:LnRO010DguuJC75Nb3xWVftxV/XdOBa+T8b+UOJ353g e@Evans-MacBook-Pro.local
The key's randomart image is:
+---[ECDSA 256]---+
| .. . . o|
| . . o o*|
| . B.*|
| .. . o.Bo|
| .oS.. ..o X|
| ...=o. .. B.|
| . .ooo . o *|
| .o.oo o =E|
| .....o ..o|
+----[SHA256]-----+
Using the SSH certificate authority private key, and the sshcert
cli, sign your newly generated ssh public key. If successful, this will create a new file with your public key file name and .cert
appended to the end of it. In the example, examplekey.pub
when signed will create a new ssh certificate file in examplekey.pub.cert
:
~ e :) sshcert sign --principals evan --private-key dbb3d292125cfe0a72a9af2e6201b91b --public-key examplekey.pub
sshcert sign
also supports a --duration
argument, to specify how long the key will be valid for. By default, the key is good for 30m.
Note, --principals
should be the linux user that you wish to SSH as, --private-key
is your certificate authority private key, and --public-key
is the public key of the linux user that will be sshing in to the server.
Use your certificate and non-CA private key to SSH in to the remote server that is configured with your CA's public key.
~ e :) ssh evan@178.128.144.223 -i examplekey -o CertificateFile=examplekey.pub.cert
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-141-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
0 packages can be updated.
0 updates are security updates.
New release '18.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Thu Dec 27 23:20:49 2018 from 98.210.133.128
evan@ubuntu-s-1vcpu-1gb-nyc1-01:~$