SSH Certificates with step-ca
Installation
Follow instructions on the previous post or the step readme
Setup
Create required root and SSH signing keys:
$ step ca init --ssh
✔ What would you like to name your new PKI? (e.g. Smallstep): Whatsdoom
✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): ca.example.com
✔ What address will your new CA listen at? (e.g. :443): :8443
✔ What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): you@example.com
✔ What do you want your password to be? [leave empty and we'll generate one]:
Generating root certificate...
all done!
Generating intermediate certificate...
Generating user and host SSH certificate signing keys...
all done!
✔ Root certificate: /home/paul/.step/certs/root_ca.crt
✔ Root private key: /home/paul/.step/secrets/root_ca_key
✔ Root fingerprint: f86a0243f05130bcd159be795ac107fcffde748c9b29bf01a05c3dc41a865eee
✔ Intermediate certificate: /home/paul/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/paul/.step/secrets/intermediate_ca_key
✔ SSH user root certificate: /home/paul/.step/certs/ssh_user_ca_key.pub
✔ SSH user root private key: /home/paul/.step/secrets/ssh_user_ca_key
✔ SSH host root certificate: /home/paul/.step/certs/ssh_host_ca_key.pub
✔ SSH host root private key: /home/paul/.step/secrets/ssh_host_ca_key
✔ Database folder: /home/paul/.step/db
✔ Templates folder: /home/paul/.step/templates
✔ Default configuration: /home/paul/.step/config/defaults.json
✔ Certificate Authority configuration: /home/paul/.step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
FEEDBACK 😍 🍻
The step utility is not instrumented for usage statistics. It does not
phone home. But your feedback is extremely valuable. Any information you
can provide regarding how you’re using `step` helps. Please send us a
sentence or two, good or bad: feedback@smallstep.com or join
https://gitter.im/smallstep/community.
You'll notice that this time four additional files were created. We'll use the ssh host and ssh user key pairs in the following steps.
Configuring SSHD
Copy the user ca public key to the SSH directory for all the hosts:
sudo ln /home/paul/.step/certs/ssh_user_ca_key.pub /etc/ssh/ sudo chown root:root /etc/ssh/ssh_user_ca_key.pub sudo chmod 644 /etc/ssh/ssh_user_ca_key.pub
Sign the host's SSH key, this will help clients to get around those pesky "The authenticity of host" prompts when you connect to a host for the first time:
$ sudo step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub --host --sign ✔ Provisioner: paul@whatsdoom.com (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 ✔ Certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub
Edit the SSHD config file (/etc/ssh/sshd_config)) to point to the new user ca and our new host certificate:
TrustedUserCAKeys /etc/ssh/ssh_user_ca_key.pub HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
After you make the changes to the config file, ensure it can still be parsed:
sudo sshd -t
Restart the SSH service:
sudo service ssh restart
Configuring SSH on local machine
On the CA server, copy the value of the ssh_host_ca_key.pub file to add your ~/.ssh/authorized_keys file:
$ cat ~/.step/certs/ssh_host_ca_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYVt/6XWuJuNiRdUt/2G/4XEsrJnwW0MqzOKY3+Up5Y0n40nOF1CyBNpFaBbFaWjUfWDvgm+9wVgDnGhW0UXvU=
Add your cert authority configuration to the authorized_keys file on the client machine:
echo "@cert-authority www1.whatsdoom.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPrvMrLPN/zxEfKS5phzZWeAzc6Lv21xxZWkkz7EhDH0VeygkigsU8RYGLKMjTlHXUxc8CQxI8OzrSVUvRJ5//I=" >> ~/.ssh/known_hosts
The previous step helps to avoid messages like:
$ ssh server.example The authenticity of host 'server.example (server.example)' can't be established. ECDSA key fingerprint is SHA256:INbyCz7rwqsj1JN/R9CYTaukuI9WsdwmLqKjkO2VZBB. Are you sure you want to continue connecting (yes/no)?
Perhaps more importantly, you can avoid messages like the following if you ever re-key or recreate a server:
$ ssh server.example @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:INbyCz7rwqsj1JN/R9CYTaukuI9WsdwmLqKjkO2VZBB. Please contact your system administrator. Add correct host key in /home/paul/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/paul/.ssh/known_hosts:1 remove with: ssh-keygen -f "/home/paul/.ssh/known_hosts" -R "server.example" ECDSA host key for server.example has changed and you have requested strict checking. Host key verification failed.
Ensure the CA server is running
On your server ensure that the server is running:
$ step-ca $(step path)/config/ca.json Please enter the password to decrypt /home/paul/.step/secrets/intermediate_ca_key: Please enter the password to decrypt /home/paul/.step/secrets/ssh_host_ca_key: Please enter the password to decrypt /home/paul/.step/secrets/ssh_user_ca_key: 2020/02/25 00:46:37 Serving HTTPS on :8443 ...
Generating keys to connect to remote server
Create a new SSH key pair with a certificate:
$ step ssh certificate paul@whatsdoom id_ecdsa ✔ Provisioner: paul@whatsdoom.com (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 Please enter the password to encrypt the private key: ✔ Private Key: id_ecdsa ✔ Public Key: id_ecdsa.pub ✔ Certificate: id_ecdsa-cert.pub ✔ SSH Agent: yes
Debugging
If you generated your CA without the SSH keys the output when attempting to generate a certificate will look like this:
$ step ssh certificate paul@whatsdoom id_ecdsa ✔ Provisioner: paul@whatsdoom.com (JWK) [kid: 7KFMEf7OPkG_QBk47O7epR-yWwl7k8H1scbSEhuGgeA] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 The requested method is not implemented by the certificate authority. Please see the certificate authority logs for more info. Re-run with STEPDEBUG=1 for more info.
Other Commands
Pass additional usernames that the certificate allowed to use:
step ssh certificate --principal paul --principal ubuntu paul@whatsdoom id_ecdsa
Renewing the cert for an existing SSH key pair:
$ step ssh certificate --sign --principal admin --principal ubuntu paul@whatsdoom id_ecdsa.pub ✔ Provisioner: paul@whatsdoom.com (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 ✔ Certificate: id_ecdsa-cert.pub
Checking a signed key using the generated cert file:
$ ssh-keygen -L -f ~/.ssh/id_ecdsa-cert.pub
/Users/paul/.ssh/id_ecdsa-cert.pub:
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:MYLK470SnLvBqV6zsCS76oYkHj+x0QO96lcbtvvUmTk
Signing CA: ECDSA SHA256:PRrktIoVIOwFb/V/ckl0FDSMULNP4dVEuGx1ks0417c
Key ID: "paul@whatsdoom"
Serial: 6336785949649563520
Valid: from 2020-02-25T01:07:55 to 2020-02-25T17:08:55
Principals:
paul
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc