SSH At Scale: CAs and Principals

Phase 0: Passwords

ssh dmuth@cheetah.dmuth.org
dmuth@cheetah.dmuth.org’s passsword: ********
$

Phase 1: SSH Keys

$ ssh dmuth@cheetah.dmuth.org
Last login: Sat Jan 25 11:04:18 2020 from [REDACTED]
#
# Welcome !
#
[dmuth@cheetah ~]$

Phase 2: Signed Keys

Creating Your Own CA and Signing Keys With It

ssh-keygen -L -f ./my-key-cert.pub
./my-key-cert.pub:
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:IRxpHtLNIl1oNIVyEpNWhnkHKxQo76klbLzGFlgt8aM
Signing CA: ECDSA SHA256:sk9wvYVdg2mwqpYaMZVSc2IelgQHAVcUMQM8h12aqEc
Key ID: “testing-my-ca”
Serial: 1
Valid: from 2020–01–25T12:49:00 to 2020–02–01T12:50:02
Principals:
dmuth
splunk

Go to The Principal’s Office

Configure SSHD to Allow CA-signed Keys

#
# Any key signed with this key can log in
#
TrustedUserCAKeys /etc/ssh/ca.pub
#
# Tell the server where to get a list of authorized Principals for each user.
#
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

mkdir -p /etc/ssh/auth_principals/
echo -e “splunk\ndmuth\n” > /etc/ssh/auth_principals/splunk
echo -e “dmuth\n” > /etc/ssh/auth_principals/dmuth

Testing This Out On Your Own

“I’m looking for Vinz Clortho.”

Putting It All Together

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store