SSH Certificates: Benefits & Setup

TL;DR

SSH certificates offer a more secure and manageable alternative to password-based or key-based authentication for SSH access. They simplify key management, allow for fine-grained access control (e.g., restricting commands), and can be easily revoked without needing to change server configurations.

What are SSH Certificates?

Normally, when you connect to an SSH server, it verifies your identity using a private/public key pair. SSH certificates add another layer of trust. A Certificate Authority (CA) signs your public key, vouching for its authenticity. The server then trusts connections signed by CAs it knows and trusts.

Benefits of Using Signed SSH User Certificates

1. Simplified Key Management: Instead of distributing individual public keys to many servers, you distribute a trusted CA’s public key. Users present certificates signed by that CA.
2. Centralised Control: Revoking access is done at the CA level – no need to update authorized_keys files on each server.
3. Fine-Grained Access Control: Certificates can include extensions specifying permitted commands, source addresses, and validity periods. This limits what a compromised certificate can do.
4. Improved Security: Certificates are harder to forge than static keys. They also allow for easier auditing of who has access.
5. Automation Friendly: Certificates integrate well with configuration management tools like Ansible, Puppet and Chef.

Setting up SSH Certificates – A Step-by-Step Guide

This guide assumes you have a Linux server where you’ll act as the CA. We’ll use OpenSSH.

1. Create a Certificate Authority (CA)

1. Generate the CA key pair:

   ssh-keygen -t rsa -b 4096 -f ca_key

   This creates ca_key (private key – keep this *very* safe) and ca_key.pub (public key).

2. Create a directory for certificates:

   mkdir -p ~/.ssh/certs

2. Create User Certificates

1. Generate the user’s key pair (if they don’t have one already):

   ssh-keygen -t rsa -b 4096 -f id_rsa

2. Sign the user’s public key with the CA:

   ssh-keygen -s ca_key -I '[email protected]' -n [email protected] -V +52w ~/.ssh/id_rsa.pub

   Replace [email protected] with the actual username and a valid identifier. +52w sets the certificate validity to one year (52 weeks). The output will be saved as ~/.ssh/id_rsa-cert.pub.

3. Configure the SSH Server

1. Edit the server’s SSH configuration file (/etc/ssh/sshd_config): Add or modify these lines:
   • TrustedUserCAKeys /home//.ssh/certs/ca_key.pub
   • PubkeyAuthentication yes
   • AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 (ensure this line exists)

   Replace with the actual username.

2. Restart the SSH service:

   sudo systemctl restart sshd

4. Connect Using the Certificate

1. Copy the certificate to the user’s client machine (if not already there).
2. Configure your SSH client: Edit ~/.ssh/config and add an entry for the server:

   Host 
     User 
     IdentityFile ~/.ssh/id_rsa
     CertificateFile ~/.ssh/id_rsa-cert.pub
   

   Replace and with the appropriate values.

3. Connect to the server:

   ssh @

   You should be prompted for your passphrase (if any) but not a password. The server will verify the certificate against the trusted CA.

Revoking Access

To revoke access, you need to update the CA’s revocation list. This is beyond the scope of this basic guide, but involves creating a revoked_keys file and configuring SSH to use it. See the OpenSSH documentation for details.