乐闻世界logo
搜索文章和话题

What is SSH certificate authentication? How to configure and manage SSH certificates?

3月6日 21:32

SSH certificate authentication is an authentication method based on Public Key Infrastructure (PKI), offering better manageability and security compared to traditional key authentication.

SSH Certificate Authentication Principles

SSH certificate authentication uses a Certificate Authority (CA) to sign user keys, generating certificates that contain identity information and validity periods.

Architecture Components

  1. CA Key Pair: Used to issue user certificates
  2. User Key Pair: User's public/private keys
  3. User Certificate: User's public key signed by CA
  4. Server Configuration: Trusts CA's public key

Certificate Types

1. User Certificate

Used to authenticate user identity.

bash
# Generate CA key pair
ssh-keygen -t ed25519 -f ~/.ssh/ca_user_key

# Issue user certificate
ssh-keygen -s ~/.ssh/ca_user_key \
    -I "user_john" \
    -n "john" \
    -V +52w \
    -z 1 \
    ~/.ssh/user_key.pub

# Certificate parameter explanation
# -I: Identity identifier
# -n: Username (multiple, comma-separated)
# -V: Validity period (+52w means 52 weeks)
# -z: Serial number

2. Host Certificate

Used to authenticate server identity.

bash
# Generate CA key pair
ssh-keygen -t ed25519 -f ~/.ssh/ca_host_key

# Issue host certificate
ssh-keygen -s ~/.ssh/ca_host_key \
    -I "host_server1" \
    -h \
    -n "server1.example.com,192.168.1.100" \
    -V +52w \
    -z 1 \
    /etc/ssh/ssh_host_ed25519_key.pub

# Certificate parameter explanation
# -h: Host certificate flag
# -n: Hostname or IP (multiple, comma-separated)

Server-side Configuration

1. Configure Trusted CA

bash
# /etc/ssh/sshd_config

# Trust user CA
TrustedUserCAKeys /etc/ssh/ca_user_key.pub

# Trust host CA (optional, for host certificate verification)
TrustedUserCAKeys /etc/ssh/ca_host_key.pub

# Enable certificate authentication
PubkeyAuthentication yes

2. Deploy Host Certificate

bash
# Copy host certificate to server
scp ssh_host_ed25519_key-cert.pub root@server1:/etc/ssh/

# Set permissions
chmod 644 /etc/ssh/ssh_host_ed25519_key-cert.pub

# Restart SSH service
systemctl restart sshd

Client-side Configuration

1. Connect Using Certificate

bash
# Direct connection with certificate (no additional configuration needed)
ssh -i ~/.ssh/user_key user@server1

# Or specify in configuration file
Host server1
    HostName server1.example.com
    User user
    IdentityFile ~/.ssh/user_key
    CertificateFile ~/.ssh/user_key-cert.pub

2. Verify Host Certificate

bash
# Configure trusted host CA
# ~/.ssh/known_hosts
@cert-authority *.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...

Certificate Management

1. Certificate Revocation

bash
# Create revocation list
# /etc/ssh/revoked_keys
# Format: serial:reason
1:compromised
2:terminated

# Configure revocation list
# /etc/ssh/sshd_config
RevokedKeys /etc/ssh/revoked_keys

2. Certificate Renewal

bash
# Re-issue certificate
ssh-keygen -s ~/.ssh/ca_user_key \
    -I "user_john" \
    -n "john" \
    -V +52w \
    -z 2 \
    ~/.ssh/user_key.pub

3. Batch Issuance

bash
# Script to batch issue user certificates
#!/bin/bash
CA_KEY=~/.ssh/ca_user_key
VALIDITY="+52w"

for user in alice bob charlie; do
    ssh-keygen -s $CA_KEY \
        -I "user_$user" \
        -n "$user" \
        -V $VALIDITY \
        ~/.ssh/${user}_key.pub
done

Certificate Advantages

1. Centralized Management

  • Unified CA manages all users
  • No need to add public keys on each server
  • Easy to revoke and update certificates

2. Security

  • Certificates contain validity periods, auto-expire
  • Can restrict certificate usage scope
  • Supports revocation mechanism

3. Scalability

  • Supports large-scale deployment
  • Facilitates automated management
  • Reduces operational costs

Advanced Features

1. Certificate Extensions

bash
# Restrict certificate usage
ssh-keygen -s ~/.ssh/ca_user_key \
    -I "user_deploy" \
    -n "deploy" \
    -V +4w \
    -O clear \
    -O no-port-forwarding \
    -O no-X11-forwarding \
    -O force-command=/usr/local/bin/deploy.sh \
    ~/.ssh/deploy_key.pub

# Extension options
# -O clear: Clear all default permissions
# -O no-port-forwarding: Disable port forwarding
# -O no-X11-forwarding: Disable X11 forwarding
# -O force-command: Restrict to specific command only
# -O source-address: Restrict source IP

2. Certificate Templates

bash
# Create certificate templates for different roles
# Admin certificate
ssh-keygen -s $CA_KEY -I "admin" -n "admin" -V +52w -O permit-pty admin_key.pub

# Deploy certificate
ssh-keygen -s $CA_KEY -I "deploy" -n "deploy" -V +4w -O no-port-forwarding deploy_key.pub

# Read-only certificate
ssh-keygen -s $CA_KEY -I "readonly" -n "readonly" -V +52w -O no-pty readonly_key.pub

3. Certificate Auditing

bash
# View certificate information
ssh-keygen -L -f ~/.ssh/user_key-cert.pub

# Output example
# Type: ssh-ed25519-cert-v01@openssh.com user certificate
# Public key: ED25519-CERT SHA256:...
# Signing CA: ED25519 SHA256:...
# Key ID: "user_john"
# Serial: 1
# Valid: from 2024-01-01T00:00:00 to 2025-01-01T00:00:00
# Principals: john

Practical Application Scenarios

Scenario 1: Enterprise User Management

bash
# Centrally manage enterprise users
# 1. Create enterprise CA
ssh-keygen -t ed25519 -f /etc/ssh/enterprise_ca

# 2. Issue certificates for employees
ssh-keygen -s /etc/ssh/enterprise_ca \
    -I "emp_001" \
    -n "john.doe" \
    -V +52w \
    ~/.ssh/john_key.pub

# 3. Revoke certificate when employee leaves
echo "1:terminated" >> /etc/ssh/revoked_keys

Scenario 2: Automated Deployment

bash
# Issue short-term certificates for CI/CD systems
ssh-keygen -s $CA_KEY \
    -I "ci_cd" \
    -n "cicd" \
    -V +1d \
    -O force-command=/usr/local/bin/deploy.sh \
    ~/.ssh/cicd_key.pub

Scenario 3: Multi-environment Management

bash
# Issue different certificates for different environments
# Development environment
ssh-keygen -s $CA_KEY -I "dev" -n "dev" -V +4w dev_key.pub

# Test environment
ssh-keygen -s $CA_KEY -I "test" -n "test" -V +4w test_key.pub

# Production environment
ssh-keygen -s $CA_KEY -I "prod" -n "prod" -V +2w prod_key.pub

Best Practices

  1. Protect CA Private Key: Use Hardware Security Module (HSM) or offline storage
  2. Regular Rotation: Regularly rotate CA keys
  3. Restrict Permissions: Issue certificates with different permissions for different roles
  4. Monitor Usage: Record certificate usage
  5. Automated Management: Use automated tools to manage certificate lifecycle
  6. Backup CA: Securely backup CA keys
  7. Test Process: Verify certificate configuration in test environment
  8. Document: Record certificate issuance and revocation processes
标签:SSH
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(30)JavaScript(56)Linux(20)Docker(65)Rust(10)TypeScript(27)Mongoose(18)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)