Introduction
SSH (Secure Shell) is a protocol used for securely accessing remote systems. While password-based login is common, using SSH certificates enhances security by requiring a cryptographic key pair for authentication. This guide details how to create an SSH certificate and configure your Linux server to only permit certificate-based logins, improving your system’s security.
What is SSH Certificate Authentication?
SSH certificate authentication uses digital certificates to authenticate users, as opposed to passwords. This method relies on public key cryptography. The main advantage is that it eliminates the risk of password brute-force attacks and provides a more secure method of automating logins.
Generating the SSH Key Pair
The first step in setting up SSH certificate authentication is to generate a key pair.
- Open a terminal.
- Run the following command to generate a key pair:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_ssh_key
3. Press Enter to accept the default file location and passphrase (optional but recommended for additional security).
Creating a Certificate Authority (CA)
To sign your SSH keys, you will need a Certificate Authority (CA). This CA will be used to verify the identity of users attempting to connect.
- On a secure machine, generate a new key pair to act as the CA:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca_key
2. Keep this CA key in a secure location—it should only be used for signing other keys.
Signing the Public Key with the CA
Now, you need to use the CA to sign the public key that you previously generated.
- Use the following command to sign the public key:
ssh-keygen -s ~/.ssh/ca_key -I user_identifier -n user -V +52w ~/.ssh/my_ssh_key.pub
2. This command signs the public key with the CA’s private key, sets a validity period (e.g., 52 weeks), and identifies the user.
Configuring SSH to Use Certificate Authentication
After creating and signing your keys, configure your SSH server to use these certificates for authentication.
- Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config #use text editor of choice
Add or modify the following lines:
TrustedUserCAKeys /etc/ssh/ca_key.pub
Save the changes and restart the SSH service:
sudo systemctl restart sshd
Disabling Password Authentication
To ensure only certificate-based logins are allowed, disable password authentication on your SSH server.
- Open the SSH configuration file:
sudo vi /etc/ssh/sshd_config #use text editor of choice
Set PasswordAuthentication
to no:
PasswordAuthentication no
Restart the SSH service to apply changes:
sudo systemctl restart ssh
d
Conclusion
By setting up SSH certificate authentication, you significantly increase the security of your Linux system. It protects against a variety of attacks and automates secure access without the vulnerabilities associated with passwords.