SSH Certificate Authentication
There are two types of SSH Certificate:
- Root certificate
- Host certificate
Root certificate can only be used to issue a host certificate. Host certificate can be used for authentication on both server side and client side. But host certificate cannot issue a new certificate, it is the very difference from x509 certificate.
issue a server certificate
/etc/ssh/ssh_host_rsa_key.pub from target server. (salt is your frined)
ssh-keygen to issue a public key. For example:
ssh-keygen -s /path/to/ssh_ca -I blog -h -n blog.s.ustclug.org,blog.p.ustclug.org,10.254.0.15,126.96.36.199,188.8.131.52 ssh_host_rsa_key.pub
Then, copy the certificate file
ssh_host_rsa_key-cert.pub back to target server.
At last, add the following line to
Certificate will take effect until ssh daemon restarted.
issue a client certificate
ssh-keygen -s /path/to/ssh_ca -I certificate_identity -n principals -O option -V validity_interval public_key_file
ssh-keygen -s /path/to/ssh_ca -I "Yifan Gao" -n yifan -V +365d yifan.pub
In general, certificate_identity is user full name, and principals is the LDAP user name. In addition, one user can own multiply principals in one certificate, like:
ssh-keygen -s /path/to/ssh_ca -I "Yifan Gao" -n yifan,root,liims -V +365d yifan.pub
It authorizes the certificate owner to login server with yifan, root and liims username.
tip: "liims" principal is used to login to library inquiring machine.