------------------------------------------------------------------------------- Using SSH Signed Certificates (principles) for login. There appears little online about this authentication technique. Principles are strings that allows you give users specific set of authorisations. If one of the 'strings' in a signed principle key matches on the client, for the specific 'account' requested, then the connection is allowed. It means a single central key can control the access, instead of a seperate key-pair for each user (and the distribution nightmare that involves). Also it does not need to be user based, instead you can authorise based on 'group' rather than individuals, though you can still do it by individual. ------------------------------------------------------------------------------- SSHD configuration (Client) This relies on the sshd configuration options... # a static file for principles for a specific requested user AuthorizedPrincipalsFile /etc/ssh/file_principals/%u # script to generate the list of 'principles' based on arguments given. AuthorizedPrincipalsCommand /etc/ssh/principals %u # user to run script as (nobody is fine) AuthorizedPrincipalsCommandUser nobody # Certificate key for incomming principles TrustedUserCAKeys /etc/ssh/ca.pub # key type of incomming principles PubkeyAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com ------------------------------------------------------------------------------- SSHD Principles file or script A list of strings that allow access to this host. It is recommended the requested user selects which principle file, or be given as a argument to the script. Optionally proceeded by extra options as per the "authorized_keys" file EG: from= and/or command= The principle_string can be any string that was in signed principle key. only accounts attached to a principle_string are authorised. The account must be requested by the user ssh account@destination_host_with_principle file. A script or other % arguments can be used adjust the allowed principles based on incomming account. ------------------------------------------------------------------------------- Creating The public key will need to be installed on all client hosts, and pointed to by the "sshd_config" TrustedUserCAKeys /etc/ssh/ca.pub ------------------------------------------------------------------------------- Creating a user principle... https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys https://github.com/outlook/ALTAR Generate a SSH key pair for signing the principle ssh-keygen -t rsa -f ~/.ssh/id_rsa Sign a principle string using the above key for 1hr ssh-keygen -V +1h -s /etc/ssh/ca.key -I admin@server \ -n root@ALL ~/.ssh/id_rsa.pub -V is time to live -s is the private signing key (clients have a copy of the public key) -I is an identifier for the generated principle (tyically the user) This is logged by the client. -n is the principle string that the client recieves and validates This is what provides the authorisation. Extensions (ssh options) may also be added, such as permit-pty allow a TTY to be created (ssh -t option) permit-user-rc execute ".ssh/rc" script before shell is run permit-X11-forwarding allow X window forwards (ssh -X option) ------------------------------------------------------------------------------- Look at a signed principle in human readable form... ssh-keygen -L -f .ssh/id_rsa-cert.pub NOTE: This can include a 'source-address' that must also match for the principle to be valid. That way it only from the host it was created on. =============================================================================== Just in time principles Rather than pre-generating all the principles for a user, we can have SSH call a Daemon running on a Authentention Socket (using system ssh_config or an environment variable). This can generate a principle for the user on the fly, that will only be valid for the user a very short time (say for the next 15 seconds only!). via environment SSH_AUTH_SOCK=/run/principle_generator.sock via "/etc/ssh/ssh_config" using IdentityAgent=/run/principle_generator.sock To see the principle in human readable form, you use ssh-add to get the principle and ssh-keygen to convert it... SSH_AUTH_SOCK=/run/principle_generator.sock \ ssh-add -L | ssh-keygen -L -f - As previously, the signed principle string is then passed to the client machine and it is check against a principle file(s) or executable that authorises a user holding that principle string as a valid login. ===============================================================================