Docs for OpenSSH CA-based certificate based authentication
OpenSSH 5.4 added a new method for certificate authentication (changes).
* Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (not X.509). Certificates
contain a public key, identity information and some validity
constraints and are signed with a standard SSH public key using
ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
or via a TrustedUserCAKeys option in sshd_config(5) (for user
authentication), or in known_hosts (for host authentication).
Documentation for certificate support may be found in ssh-keygen(1),
sshd(8) and ssh(1) and a description of the protocol extensions in
PROTOCOL.certkeys.
Is there any guides or documentation beyond what is mentioned in the ssh-keygen man-page? The man page covers how to generate certificate and use them, but it doesn't really seem to provide much information about the certificate authority setup. For example, can I sign the keys with an intermediate CA, and have the server trust the parent CA?
This comment about the new feature seems to mean that I could setup my servers to trust the CA, then setup a method to sign keys, and then users would not have to publish their individual keys on the server. This also seems to support key expiration, which is great since getting rid of old/invalid keys is more difficult then it should be. But I am hoping to find some more documentation about describe the total configuration CA, SSH server, and SSH client settings needed to make this work.
Indeed, the docs do look rather sparse. The PROTOCOL.certkeys file is probably your best place to go for low-level documentation re: this feature.
re: using intermediate CA's, have a look at this quote from that doc:
"Chained" certificates, where the signature key type is a certificate type itself are NOT supported.
If I'm reading that right then using an intermediate CA is expressly not possible. In general, it looks like this is a really, really bare-bones PKI implementation and you should probably throw out most of what you'd expect in an X.509 PKI world.
I've posted how to generate and use ssh certificates on ServerFault here.
In short:
- generate ca_key (just like normal rsa or dsa key)
- generate host certificate using ca_key
- install host certificate on target host/s, configuring sshd to suit
- generate client certs using ca_key (the resulting certificate can have several constraints, such as force-command, no-agent-forwarding, no-x11-forwarding, etc; together with age restrictions). The client cert can be for one or multiple hosts, and for one or multiple users.
The issue I've got is how to revoke ssh certificates. Having to change the host certificate clearly obviates the value of having a central CA and host certificate.
Interesting stuff.
The files regress/cert-hostkey.sh and regress/cert-userkey.sh, which are included in OpenSSH's source, seems to supply a pretty good overview of that this feature covers in term of authenticating and authorizing users/hosts with a CA.
As for users having to publish their keys: From what I gather, as long as the cert provided by the user is properly signed and constraints on the cert don't prohibit the user from accessing that machine, he will be allowed to logon. No publishing needed.