Skip to content
Picture of PTFM

PTFM

Ultimate SSH Security: Certificate Authentication on Linux!

Introduction

SSH (Secure Shell) is a protocol used for securely accessing remote systems. While password-based login is common, using SSH certificates enhances security by requiring a cryptographic key pair for authentication. This guide details how to create an SSH certificate and configure your Linux server to only permit certificate-based logins, improving your system’s security.

    What is SSH Certificate Authentication?

    SSH certificate authentication uses digital certificates to authenticate users, as opposed to passwords. This method relies on public key cryptography. The main advantage is that it eliminates the risk of password brute-force attacks and provides a more secure method of automating logins.

    Generating the SSH Key Pair

    The first step in setting up SSH certificate authentication is to generate a key pair.

    1. Open a terminal.
    2. Run the following command to generate a key pair:
    ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_ssh_key

    3. Press Enter to accept the default file location and passphrase (optional but recommended for additional security).

      Creating a Certificate Authority (CA)

      To sign your SSH keys, you will need a Certificate Authority (CA). This CA will be used to verify the identity of users attempting to connect.

      1. On a secure machine, generate a new key pair to act as the CA:
      ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca_key

      2. Keep this CA key in a secure location—it should only be used for signing other keys.

        Signing the Public Key with the CA

        Now, you need to use the CA to sign the public key that you previously generated.

        1. Use the following command to sign the public key:
        ssh-keygen -s ~/.ssh/ca_key -I user_identifier -n user -V +52w ~/.ssh/my_ssh_key.pub

        2. This command signs the public key with the CA’s private key, sets a validity period (e.g., 52 weeks), and identifies the user.

          Configuring SSH to Use Certificate Authentication

          After creating and signing your keys, configure your SSH server to use these certificates for authentication.

          1. Edit the SSH configuration file:
          sudo vi /etc/ssh/sshd_config #use text editor of choice

          Add or modify the following lines:

          TrustedUserCAKeys /etc/ssh/ca_key.pub

          Save the changes and restart the SSH service:

          sudo systemctl restart sshd

          Disabling Password Authentication

          To ensure only certificate-based logins are allowed, disable password authentication on your SSH server.

          1. Open the SSH configuration file:
          sudo vi /etc/ssh/sshd_config #use text editor of choice

          Set PasswordAuthentication to no:

          PasswordAuthentication no

          Restart the SSH service to apply changes:

          sudo systemctl restart sshd

          Conclusion

          By setting up SSH certificate authentication, you significantly increase the security of your Linux system. It protects against a variety of attacks and automates secure access without the vulnerabilities associated with passwords.

          Share this post