Skip to content
Snippets Groups Projects
Select Git revision
  • 871acdccf8d4ff15bf6ad585332807f791e08c8d
  • master default
2 results

ssh-ca

SSH-CA

This utility assists in creating an SSH certificate authority. It aims to be production-ready and a secure solution for managing SSH key-pairs for both users and hosts.

Installation

git clone https://www.shore.co.il/cgit/ssh-ca
cd ssh-ca
sudo make install

Usage

To start a new certificate authority

ssh-ca init

To sign a user's public key

ssh-ca signuser username

To sign a hosts's public key

ssh-ca signhost hostname

To generate a new keypair for a host with a signed public key

ssh-ca newhost hostname

To generate a new keypair for a user with a signed public key

ssh-ca newuser username

Authenticating hosts

  1. Sign the server's public key or generate a new pair and copy the files over.

  2. Add the following line to /etc/ssh/sshd_config:

    HostCertificate /path/to/the/signed/public/key
  3. Add a line to your known_hosts file to authorize signed public keys to a specific top level domain. For example if your domain is example.com and the contents of CA.pub is:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca

Then the line will be:

@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca

#. You can also add it system wide by adding the above line to /etc/ssh/ssh_known_hosts and the following line to your ssh_config file:

GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
  1. For strict security, add the following line to you ssh_config file:

    StrictHostKeyChecking yes

Authenticating users

  1. Sign the user's public key or generate a new pair and copy them over.

  2. Copy CA.pub over to the host.

  3. Add the following line to /etc/ssh/sshd_config:

    TrustedUserCAKeys /path/to/CA.pub

Development

To ease development make clean and make test are available. It's recommended to add make test to your git pre-commit hook.

License

This software is licnesed under the MIT licese (see the LICENSE.txt file).

Author

Nimrod Adar, contact me or visit my website. Patches are welcome via git send-email. The repository is located at: https://www.shore.co.il/cgit/.

TODO

  • Generating RSA, DSA and ECDSA keys (especially for hosts).