SSH At Scale: CAs and Principals

Phase 0: Passwords

ssh’s passsword: ********

Phase 1: SSH Keys

$ ssh
Last login: Sat Jan 25 11:04:18 2020 from [REDACTED]
# Welcome !
[dmuth@cheetah ~]$

Phase 2: Signed Keys

Creating Your Own CA and Signing Keys With It

ssh-keygen -L -f ./
Type: user certificate
Public key: ECDSA-CERT SHA256:IRxpHtLNIl1oNIVyEpNWhnkHKxQo76klbLzGFlgt8aM
Signing CA: ECDSA SHA256:sk9wvYVdg2mwqpYaMZVSc2IelgQHAVcUMQM8h12aqEc
Key ID: “testing-my-ca”
Serial: 1
Valid: from 2020–01–25T12:49:00 to 2020–02–01T12:50:02

Go to The Principal’s Office

Configure SSHD to Allow CA-signed Keys

# Any key signed with this key can log in
TrustedUserCAKeys /etc/ssh/
# Tell the server where to get a list of authorized Principals for each user.
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

mkdir -p /etc/ssh/auth_principals/
echo -e “splunk\ndmuth\n” > /etc/ssh/auth_principals/splunk
echo -e “dmuth\n” > /etc/ssh/auth_principals/dmuth

Testing This Out On Your Own

“I’m looking for Vinz Clortho.”

Putting It All Together



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store