SSH Certificate-Based Authentication

https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/

Generating Certificate Authority (CA)

=ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca=

$ ls -l
total 8
-rw-------. 1 root ssh_keys 3381 Mar 19 14:30 host_ca
-rw-r--r--. 1 root ssh_keys  737 Mar 19 14:30 host_ca.pub

Issuing host certificates (to authenticate hosts to users)

Use host key (ssh_host_rsa_key.pub )and sign it with the CA key:

ssh-keygen -s host_ca -I server.host -h -n server.host.it -V +52w ssh_host_rsa_key.pub

$ ls -l
-rw------- 1 root ssh_keys 3247 Mar 17 14:49 ssh_host_rsa_key
-rw-r--r-- 1 root ssh_keys 2369 Mar 17 14:50 ssh_host_rsa_key-cert.pub
-rw-r--r-- 1 root ssh_keys  764 Mar 17 14:49 ssh_host_rsa_key.pub

ssh_host_rsa_key-cert.pub contains the signed host certificate.

Server (on server.host):

First, copy the three files you just generated to the server, store them under the /etc/ssh directory, set the permissions to match the other files there, then add this line to your/etc/ssh/sshd_config file:

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Once this is done, restart sshd with systemctl restart sshd.

Client:

For your local ssh client to make use of this (and automatically trust the host based on the certificate's identity), you will also need to add the CA's public key to your known_hosts file.

You can do this by taking the contents of the host_ca.pub file, adding @cert-authority *.host.it to the beginning, then appending the contents to ~/.ssh/known_hosts:

@cert-authority *.host.it ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwiOso0Q4W+KKQ4OrZZ1o1X7g3yWcmAJtySILZSwo