Certificate-based SSH authentication

Created by Jovin Langenegger, last modified on Jun 12, 2020

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Abstract

Certificate-based SSH authentication is superior to SSH keys in many ways:

SSH certificates intrinsically possess a validity period before and after which they are invalid for providing authentication.
SSH certificates can be embedded with SSH restrictions that limit:
- Who can use the certificate
- The list of available SSH features (X11Forwarding, AgentForwarding, etc)
- Which SSH client machines can use the certificate
- Commands that can be run via SSH

The following github repository can be used to configure all servers as well as an explanation how to setup a client.

Repository

https://github.com/jlangenegger/ssh_certificate/

Setup

For the purposes of this explanation, let’s consider three systems:

Certification Authority (CA)
- System name “ca.netdef.org“
- Will host our Certification Authority
Host
- System name “host.netdef.org“
- Will function as an SSH server
Client
- System name "client.netdef.org"
- Will function as an SSH client

Certificates

There are two different certificates.

client certificate
- This certificate is stored on the client and is provided to the host during the ssh connection establishment.
- It is used on the host side to authenticate the clients that try to login.
host certificate
- This certificate is stored on the host and is provided to the client during the ssh connection establishment.
- It is used on the client side to authenticate the host that the client tries to login.

No labels