Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Abstract

Certificate-based SSH authentication is superior to SSH keys in many ways:

  • SSH certificates intrinsically possess a validity period before and after which they are invalid for providing authentication.
  • SSH certificates can be embedded with SSH restrictions that limit:
    • Who can use the certificate
    • The list of available SSH features (X11Forwarding, AgentForwarding, etc)
    • Which SSH client machines can use the certificate
    • Commands that can be run via SSH

The following github repository can be used to configure all servers as well as an explanation how to setup a client.

Repository

https://github.com/jlangenegger/ssh_certificate/

Setup

For the purposes of this explanation, let’s consider three systems:

  • Certification Authority (CA)
    • System name “ca.netdef.org
    • Will host our Certification Authority
  • Host
  • Client

Certificates

There are two different certificates.

  • client certificate
    • This certificate is stored on the client and is provided to the host during the ssh connection establishment.
    • It is used on the host side to authenticate the clients that try to login.
  • host certificate
    • This certificate is stored on the host and is provided to the client during the ssh connection establishment.
    • It is used on the client side to authenticate the host that the client tries to login.