SSH Certificate Authentication

discussion: SSH升级到证书登陆方案讨论

usage: SSH证书认证的使用方法


There are two types of SSH Certificate:

  • Root certificate
  • Host certificate

Root certificate can only be used to issue a host certificate. Host certificate can be used for authentication on both server side and client side. But host certificate cannot issue a new certificate, it is the very difference from x509 certificate.

Root certificate is stored in cuihaoleo's loongson laptop. And knight42 have another backup.

issue a server certificate

copy the /etc/ssh/ from target server. (salt is your frined)

Then, run ssh-keygen to issue a public key. For example:

ssh-keygen -s /path/to/ssh_ca -I blog -h -n,,,,

Then, copy the certificate file back to target server.

At last, add the following line to /etc/ssh/sshd_config:

HostCertificate /etc/ssh/

Certificate will take effect until ssh daemon restarted.

issue a client certificate

ssh-keygen -s /path/to/ssh_ca -I certificate_identity -n principals -O option -V validity_interval public_key_file

For example:

ssh-keygen -s /path/to/ssh_ca -I "Yifan Gao" -n yifan -V +365d

In general, certificate_identity is user full name, and principals is the LDAP user name. In addition, one user can own multiply principals in one certificate, like:

ssh-keygen -s /path/to/ssh_ca -I "Yifan Gao" -n yifan,root,liims -V +365d

It authorizes the certificate owner to login server with yifan, root and liims username.

tip: "liims" principal is used to login to library inquiring machine.