Created
November 3, 2021 15:09
-
-
Save ddrown/1f3e23f0b9d106977a93f0fd8e8048dc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # generate the CA | |
| client$ ssh-keygen -N '' -C user-ca -f ~/.ssh/ca | |
| Generating public/private rsa key pair. | |
| Your identification has been saved in /home/work/.ssh/ca | |
| Your public key has been saved in /home/work/.ssh/ca.pub | |
| The key fingerprint is: | |
| SHA256:+b1N4C0pVYhMZ2m4XWqz8op50rEH9CAfFT0k9USRCOc user-ca | |
| The key's randomart image is: | |
| +---[RSA 3072]----+ | |
| | .o*B+o=| | |
| | o.+*+++ | | |
| | o=.E...| | |
| | ..= =. | | |
| | S+ =oo | | |
| | .=+o+ | | |
| | .o*= o | | |
| | .o+.o= | | |
| | oo.o. . | | |
| +----[SHA256]-----+ | |
| # generate the key to sign | |
| client$ ssh-keygen -N "" -C ca-signed -f ~/.ssh/ca-signed | |
| Generating public/private rsa key pair. | |
| Your identification has been saved in /home/work/.ssh/ca-signed | |
| Your public key has been saved in /home/work/.ssh/ca-signed.pub | |
| The key fingerprint is: | |
| SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 ca-signed | |
| The key's randomart image is: | |
| +---[RSA 3072]----+ | |
| |.o . . ... | | |
| |+ . . o . .+. | | |
| | +.. . o .. o | | |
| |.+o= o. | | |
| |*oB S | | |
| |.*X . | | |
| |oOoO | | |
| |=B* oE | | |
| |B+=o .. | | |
| +----[SHA256]-----+ | |
| # sign the key with the CA, expires in 1 hour. ssh-keygen has a bunch of other possible restrictions it can put on the new key | |
| client$ ssh-keygen -V +1h -s ~/.ssh/ca -I new-user-key-id ~/.ssh/ca-signed.pub | |
| Signed user key /home/work/.ssh/ca-signed-cert.pub: id "new-user-key-id" serial 0 valid from 2021-11-03T09:10:00 to 2021-11-03T10:11:17 | |
| # inspect the signed key, which is in the cert.pub file | |
| client$ ssh-keygen -L -f ~/.ssh/ca-signed-cert.pub | |
| ~/.ssh/ca-signed-cert.pub: | |
| Type: ssh-rsa-cert-v01@openssh.com user certificate | |
| Public key: RSA-CERT SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 | |
| Signing CA: RSA SHA256:+b1N4C0pVYhMZ2m4XWqz8op50rEH9CAfFT0k9USRCOc (using rsa-sha2-512) | |
| Key ID: "new-user-key-id" | |
| Serial: 0 | |
| Valid: from 2021-11-03T09:10:00 to 2021-11-03T10:11:17 | |
| Principals: (none) | |
| Critical Options: (none) | |
| Extensions: | |
| permit-X11-forwarding | |
| permit-agent-forwarding | |
| permit-port-forwarding | |
| permit-pty | |
| permit-user-rc | |
| # have the server accept any key signed by the cert authority | |
| server$ echo cert-authority `cat ~/.ssh/ca.pub` >>~/.ssh/authorized_keys | |
| # login with the key | |
| client$ ssh -v -i .ssh/ca-signed server.example.org | |
| ... | |
| debug1: Will attempt key: .ssh/ca-signed RSA SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 explicit | |
| debug1: Will attempt key: .ssh/ca-signed RSA-CERT SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 explicit | |
| ... | |
| debug1: Offering public key: .ssh/ca-signed RSA SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 explicit | |
| debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password | |
| debug1: Offering public key: .ssh/ca-signed RSA-CERT SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 explicit | |
| debug1: Server accepts key: .ssh/ca-signed RSA-CERT SHA256:U82UiPgJojBhu2+DafHukmTFCnamtKRrk6qtTHkazT8 explicit | |
| debug1: Authentication succeeded (publickey). | |
| ... | |
| server$ | |
| # log message | |
| sshd[31417]: Accepted publickey for [user] RSA-CERT ID new-user-key-id (serial 0) CA RSA SHA256:+b1N4C0pVYhMZ2m4XWqz8op50rEH9CAfFT0k9USRCOc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment