Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Abstract

Certificate-based SSH authentication is superior to SSH keys in many ways:

  • SSH certificates intrinsically possess a validity period before and after which they are invalid for providing authentication.
  • SSH certificates can be embedded with SSH restrictions that limit:
    • Who can use the certificate
    • The list of available SSH features (X11Forwarding, AgentForwarding, etc)
    • Which SSH client machines can use the certificate
    • Commands that can be run via SSH
Two way authentication

The following github repository can be used to configure all servers as well as the

Setup

For the purposes of this explanation, let’s consider three systems:

  • Certification Authority (CA)
    • System name “ca.netdef.org
    • Will host our Certification Authority
  • Host
  • Client

Certificates

There are two different certificates.

  • client certificate
    • This certificate is stored on the client and is provided to the host during the ssh connection establishment.
    • It is used on the host side to authenticate the clients that try to login.
  • host certificate
    • This certificate is stored on the host and is provided to the client during the ssh connection establishment.
    • It is used on the client side to authenticate the host that the client tries to login.