Skip to content
Snippets Groups Projects
Select Git revision
  • master default
1 result
Compare
Adar Nimrod's avatar
Update CI templates.
nimrod authored
6fe79b08
History
Adar Nimrod's avatar 6fe79b08
History
Name Last commit Last update
tests
.gitignore
.gitlab-ci.yml
.pre-commit-config.yaml
LICENSE.txt
Makefile
README.md
ssh-ca
README.md

SSH-CA

pipeline status

This utility assists in creating an SSH certificate authority. It aims to be production-ready and a secure solution for managing SSH key-pairs for both users and hosts.

Installation

git clone https://www.shore.co.il/git/ssh-ca
cd ssh-ca
sudo make install

Usage

To start a new certificate authority (creates an RSA keypair for signing purposes and hosts and users directories)

ssh-ca init

To sign a user's public key (found under users/<username>/id*.pub)

ssh-ca signuser username

To sign a host's public key (found under hosts/<hostname>/ssh_host*.pub)

ssh-ca signhost hostname

To generate a new keypair for a host with a signed public key

ssh-ca newhost hostname

To generate a new keypair for a user with a signed public key

ssh-ca newuser username

Authenticating hosts

  1. Sign the server's public key or generate a new pair and copy the files over.

  2. Add the following line to /etc/ssh/sshd_config:

    HostCertificate /path/to/the/signed/public/key

  3. Add a line to your known_hosts file to authorize signed public keys to a specific top level domain. For example if your domain is example.com and the contents of CA.pub is:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca

Then the line will be:

@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca

#. You can also add it system wide by adding the above line to /etc/ssh/ssh_known_hosts and the following line to your ssh_config file:

GlobalKnownHostsFile /etc/ssh/ssh_known_hosts

  1. For strict security, add the following line to you ssh_config file:

    StrictHostKeyChecking yes

Authenticating users

  1. Sign the user's public key or generate a new pair and copy them over.

  2. Copy CA.pub over to the host.

  3. Add the following line to /etc/ssh/sshd_config:

    TrustedUserCAKeys /path/to/CA.pub

Development

For testing run make test}. For cleaning temporary files run git clean -fdx. You can use pre-commit to have the test (which is quite quick) run on every commit to ensure quality code.

License

This software is licensed under the MIT license (see LICENSE.txt).

Author Information

Nimrod Adar, contact me or visit my website. Patches are welcome via git send-email. The repository is located at: https://git.shore.co.il/expore/.

TODO

  • Better, more thorough documentation.