1. Information

With SSH certificates, you generate a certificate authority (CA) and then use this to issue and cryptographically sign certificates which can authenticate hosts to users or users to hosts.

For host certificates, CA keys can be marked as trusted globally in the /etc/ssh/known_hosts file or per-user in the ~/.ssh/ssh_known_hosts file using the cert-authority directive.

For user certificates, CA keys can be marked as trusted for global use by means of the TrustedUserCAKeys directive in the /etc/ssh/sshd_config file or per-user in the ~/.ssh/authorized_keys file using the cert-authority directive.

  • On Linux the SSH server directory is /etc/ssh and the SSH client directory is /home/<user>/.ssh.

  • On Windows the SSH server directory is C:\ProgramData\ssh and the SSH client directory is C:\Users\<User>\.ssh.

  • See https://www.golinuxcloud.com/openssl-view-certificate.

  • Enter the following commands at a Command Line.

    openssl x509 -noout -text -in /home/Other/Tmp/smru-sfw-mrm_LSC.crt
openssl x509 -inform DER -noout -text -in /media/Teams/IT/System/Sophos/CA/smru-sfw-mrm_CA.crt

2. Certificate Authority

2.1. Host Certificates

  • Log in as smru on the tbhf-ops-mrm server.

  • Type su - to elevate to root privileges.

  • Enter the following commands at a Command Line.

    # Generate certificate authority for host certificates.
# Use level 1+2+3 passphrase.
ssh-keygen -C "smru_host_ca" -a 200 -f smru_host_ca -t ed25519

# Show files.
ls -al smru_host_ca*

# Show key fingerprint.
ssh-keygen -f smru_host_ca -l           # SHA256 format.
ssh-keygen -E md5 -f smru_host_ca -l    # MD5 format.

# Copy public key to SSH Certificates repository.
cp -a smru_host_ca.pub "/media/Teams/IT/Public/SSH Certificates"

  • Store the private key as an attachment in the KeePass Password Manager.

  • Store the public key as an attachment in the KeePass Password Manager.

2.2. User Certificates

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Generate certificate authority for user certificates.
# Use level 1+2+3 passphrase.
ssh-keygen -C "smru_user_ca" -a 200 -f smru_user_ca -t ed25519

# Show files.
ls -al smru_user_ca*

# Show key fingerprint.
ssh-keygen -f smru_user_ca -l           # SHA256 format.
ssh-keygen -E md5 -f smru_user_ca -l    # MD5 format.

# Copy public key to SSH Certificates repository.
cp -a smru_user_ca.pub "/media/Teams/IT/Public/SSH Certificates"

  • Store the private key as an attachment in the KeePass Password Manager.

  • Store the public key as an attachment in the KeePass Password Manager.

3. Configuration

3.1. Linux

  • Enter the following commands at a Command Line.

    sudo smru setup share SMRU-SRV Teams$   # Add Teams$ (itadmin) share to /etc/fstab.
sudo smru config openssh

3.2. Windows

  • Enter the following commands at a Command Prompt with administrative privileges.

    net.exe use T: \\SMRU-SRV\Teams$ /P:No
Set-ConfigOpenSshClient
Set-ConfigOpenSshServer

4. Digital Signing

  • Note: Use the -z option when creating a certificate, because you can use the serial later to revoke specifically only one certificate.

4.1. Host Certificates

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Set some variables.
host=<hostname>
repo="/media/Teams/IT/Public/SSH Certificates"
# Sign host public key with smru host certificate authority to create host certificate.
# Use lower case host name for -n option to allow Linux computers to connect to Windows computers.
ssh-keygen -I ${host} -V 20220101:20321231 -h -n ${host} -s smru_host_ca "${repo}/${host}-ssh_host_ed25519_key.pub"
# Show files.
ls -al "${repo}/${host}-ssh_host_ed25519_key"*
# Show contents of signed host certificate.
ssh-keygen -L -f "${repo}/${host}-ssh_host_ed25519_key-cert.pub"

4.2. User Certificates

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Set some variables.
host=<hostname>
repo="/media/Teams/IT/Public/SSH Certificates"
# Sign user public key with smru user certificate authority.
ssh-keygen -I smru-it@shoklo-unit.com -V 20220101:20321231 -n Administrator,smru -s smru_user_ca "${repo}/${host}-id_ed25519.pub"
# Show files.
ls -al "${repo}/${host}-id_ed25519"*
# Show contents of signed user certificate.
ssh-keygen -L -f "${repo}/${host}-id_ed25519-cert.pub"

5. Host Certificates

The benefit of using host certificates is twofold.

  • No more relying on the insecure trust on first use model for new hosts. It prevents the The authenticity of host <host> (<ip>)' can’t be established, <key fingerprint>, Are you sure you want to continue connecting (yes/no)? message.

  • If the host key changes for a certain host name, the host automatically presents a signed host certificate preventing the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! message.

5.1. Create host CA

Create a CA (certificate authority) for signing host certificates.

  • Log in as smru on the tbhf-kvm-mrm server.

  • Type su - to elevate to root privileges.

  • Enter the following commands at a Command Line.

    # Generate a certificate authority for host certificates.
# Use the level 1+2+3 password for the passphrase.
ssh-keygen -C "smru_host_ca" -a 200 -b 4096 -f smru_host_ca -t ed25519

# Show the files.
ls -al smru_host_ca*

# Show the key fingerprint.
ssh-keygen -f smru_host_ca -l           # SHA256 format.
ssh-keygen -E md5 -f smru_host_ca -l    # MD5 format.

  • Store the private key as an attachment in the KeePass Password Manager.

  • Store the public key as an attachment in the KeePass Password Manager.

5.2. Issue host certificate

  • Create a new ssh_host_ed25519_key host public key pair in the SSH server directory.

  • Copy the host public key, i.e. the ssh_host_ed25519_key.pub file located in the SSH server directory, from the Linux/Windows host.

  • Sign the host public key with the smru host certificate authority to create a host certificate.

  • Copy the signed host certificate back to the SSH server directory on the Linux/Windows host.

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Copy the host public key from the Linux/Windows host.
scp -p smru@<host>:/etc/ssh/ssh_host_rsa_key.pub .
scp -p Administrator@<host>:C:/ProgramData/ssh/ssh_host_rsa_key.pub .

# Sign the host public key with the smru host certificate authority to create a host certificate.
ssh-keygen -I <host> -V +52w -h -n <host> -s smru_host_ca ssh_host_rsa_key.pub

# Show the files.
ls -al ssh_host_rsa_key*

# Show the contents of the signed host certificate.
ssh-keygen -L -f ssh_host_rsa_key-cert.pub

# Copy the signed host certificate back to the Linux/Windows host.
scp -p ssh_host_rsa_key-cert.pub smru@<host>:/etc/ssh
scp -p ssh_host_rsa_key-cert.pub Administrator@<host>:C:/ProgramData/ssh

5.3. SSH Client Configuration

  • Add the host CA’s public key (contents of the smru_host_ca.pub file) to the known_hosts file.

  • Contents of the known_hosts file located in the SSH client directory.

    @cert-authority *.smru.shoklo-unit.com ssh-rsa ******** smru_host_ca

5.4. SSH Server Configuration

  • Send an email to smru-it@shoklo-unit.com to request a signed host certificate for the ssh_host_rsa_key.pub file.

  • Fix the permissions of the ssh_host_rsa_key-cert.pub file to match the other public key files in the SSH server directory on the Linux/Windows host.

  • Add the HostCertificate …​/ssh_host_rsa_key-cert.pub line to the sshd_config file.

  • Contents of the sshd_config file located in the SSH server directory.

    HostKey /etc/ssh/ssh_host_rsa_key                               # Linux.
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub              # Linux.

HostKey C:\ProgramData\ssh\ssh_host_rsa_key                     # Windows.
HostCertificate C:\ProgramData\ssh\ssh_host_rsa_key-cert.pub    # Windows.

HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key                    # Windows.
HostCertificate __PROGRAMDATA__/ssh/ssh_host_rsa_key-cert.pub   # Windows.

  • Restart the OpenSSH Server.

    systemctl restart ssh   # Linux.
    net.exe stop sshd       # Windows.
net.exe start sshd      # Windows.

5.5. Usage

  • Log on as a standard user on a Linux computer.

  • Enter the following commands at a Command Line.

    ssh -vv Administrator@<host>
ssh -vv smru@<host>

  • Log on as a standard user on a Windows computer.

  • Enter the following commands at a Command Prompt.

    ssh.exe -vv Administrator@<host>
ssh.exe -vv smru@<host>

6. User Certificates

6.1. Create user CA

Create a CA (certificate authority) for signing user certificates.

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Generate a certificate authority for user certificates.
# Use the level 1+2+3 password for the passphrase.
ssh-keygen -C "smru_user_ca" -a 200 -b 4096 -f smru_user_ca -t ed25519

# Show the files.
ls -al smru_user_ca*

# Show the key fingerprint.
ssh-keygen -f smru_user_ca -l           # SHA256 format.
ssh-keygen -E md5 -f smru_user_ca -l    # MD5 format.

  • Store the private key as an attachment in the KeePass Password Manager.

  • Store the public key as an attachment in the KeePass Password Manager.

6.2. Issue user certificate

  • Copy the user public key from a Linux/Windows computer.

  • Sign the user public key with the smru user certificate authority.

  • Copy the signed user certificate back to the Linux/Windows computer.

  • Log in as smru on the tbhf-kvm-mrm server.

  • Enter the following commands at a Command Line.

    # Copy the user public key from a Linux/Windows computer.
scp -p smru@<host>:/home/<user>/.ssh/id_rsa.pub .
scp -p Administrator@<host>:C:/Users/Administrator/.ssh/id_rsa.pub .

# Sign the user public key with the smru user certificate authority.
ssh-keygen -I smru-it@shoklo-unit.com -V +1d -n Administrator,root,smru -s smru_user_ca id_rsa.pub

# Show the files.
ls -al id_rsa*

# Show the contents of the signed user certificate.
ssh-keygen -L -f id_rsa-cert.pub

# Copy the signed user certificate back to the Linux/Windows computer.
scp -p id_rsa-cert.pub smru@<host>:/home/<user>/.ssh
scp -p id_rsa-cert.pub Administrator@<host>:C:/Users/Administrator/.ssh

6.3. SSH Client Configuration

  • Generate a new private public key pair in the SSH client directory.

  • Send an email to smru-it@shoklo-unit.com to request a signed user certificate for the id_rsa.pub file.

  • Copy the signed user certificate, i.e. the id_rsa-cert.pub file, to the SSH client directory.

6.4. SSH Server Configuration

  • Copy the smru_user_ca.pub file and store it in the SSH server directory for each Linux/Windows host.

  • Fix the permissions of the smru_user_ca.pub file to match the other public key files.

  • Add the TrustedUserCAKeys …​/smru_user_ca.pub line to the sshd_config file.

  • Contents of the sshd_config file located in the SSH server directory.

    TrustedUserCAKeys /etc/ssh/smru_user_ca.pub             # Linux.

TrustedUserCAKeys C:\ProgramData\ssh\smru_user_ca.pub   # Windows.

TrustedUserCAKeys __PROGRAMDATA__/ssh/smru_user_ca.pub  # Windows.

  • Restart the OpenSSH Server.

    systemctl restart ssh   # Linux.
    net.exe stop sshd       # Windows.
net.exe start sshd      # Windows.

6.5. Usage

  • Log in as a standard user on a Linux computer.

  • Enter the following commands at a Command Line.

    ssh -i /home/<user>/.ssh/id_rsa Administrator@<host>    # Windows host.
ssh -i /home/<user>/.ssh/id_rsa smru@<host>             # Linux host.
ssh -i /home/<user>/.ssh/id_rsa -o CertificateFile=id_rsa-cert.pub smru@<host>

  • Log on as a standard user on a Windows computer.

  • Enter the following commands at a Command Prompt.

    ssh.exe -i C:\Users\<User>\.ssh\id_rsa Administrator@<host>     # Windows host.
ssh.exe -i C:\Users\<User>\.ssh\id_rsa smru@<host>              # Linux host.
ssh.exe -i C:\Users\<User>\.ssh\id_rsa -o CertificateFile=id_rsa-cert.pub smru@<host>