Follow instructions on the previous post or the step readme
Create required root and SSH signing keys:
$ step ca init --ssh ✔ What would you like to name your new PKI? (e.g. Smallstep): Whatsdoom ✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,220.127.116.11,etc.]): ca.example.com ✔ What address will your new CA listen at? (e.g. :443): :8443 ✔ What would you like to name the first provisioner for your new CA? (e.g. firstname.lastname@example.org): email@example.com ✔ What do you want your password to be? [leave empty and we'll generate one]: Generating root certificate... all done! Generating intermediate certificate... Generating user and host SSH certificate signing keys... all done! ✔ Root certificate: /home/paul/.step/certs/root_ca.crt ✔ Root private key: /home/paul/.step/secrets/root_ca_key ✔ Root fingerprint: f86a0243f05130bcd159be795ac107fcffde748c9b29bf01a05c3dc41a865eee ✔ Intermediate certificate: /home/paul/.step/certs/intermediate_ca.crt ✔ Intermediate private key: /home/paul/.step/secrets/intermediate_ca_key ✔ SSH user root certificate: /home/paul/.step/certs/ssh_user_ca_key.pub ✔ SSH user root private key: /home/paul/.step/secrets/ssh_user_ca_key ✔ SSH host root certificate: /home/paul/.step/certs/ssh_host_ca_key.pub ✔ SSH host root private key: /home/paul/.step/secrets/ssh_host_ca_key ✔ Database folder: /home/paul/.step/db ✔ Templates folder: /home/paul/.step/templates ✔ Default configuration: /home/paul/.step/config/defaults.json ✔ Certificate Authority configuration: /home/paul/.step/config/ca.json Your PKI is ready to go. To generate certificates for individual services see 'step help ca'. FEEDBACK 😍 🍻 The step utility is not instrumented for usage statistics. It does not phone home. But your feedback is extremely valuable. Any information you can provide regarding how you’re using `step` helps. Please send us a sentence or two, good or bad: firstname.lastname@example.org or join https://gitter.im/smallstep/community.
You'll notice that this time four additional files were created. We'll use the ssh host and ssh user key pairs in the following steps.
Copy the user ca public key to the SSH directory for all the hosts:
sudo ln /home/paul/.step/certs/ssh_user_ca_key.pub /etc/ssh/ sudo chown root:root /etc/ssh/ssh_user_ca_key.pub sudo chmod 644 /etc/ssh/ssh_user_ca_key.pub
Sign the host's SSH key, this will help clients to get around those pesky "The authenticity of host" prompts when you connect to a host for the first time:
$ sudo step ssh certificate $HOSTNAME /etc/ssh/ssh_host_ecdsa_key.pub --host --sign ✔ Provisioner: email@example.com (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 ✔ Certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub
Edit the SSHD config file (/etc/ssh/sshd_config)) to point to the new user ca and our new host certificate:
TrustedUserCAKeys /etc/ssh/ssh_user_ca_key.pub HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
After you make the changes to the config file, ensure it can still be parsed:
sudo sshd -t
Restart the SSH service:
sudo service ssh restart
Configuring SSH on local machine
On the CA server, copy the value of the ssh_host_ca_key.pub file to add your ~/.ssh/authorized_keys file:
$ cat ~/.step/certs/ssh_host_ca_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYVt/6XWuJuNiRdUt/2G/4XEsrJnwW0MqzOKY3+Up5Y0n40nOF1CyBNpFaBbFaWjUfWDvgm+9wVgDnGhW0UXvU=
Add your cert authority configuration to the authorized_keys file on the client machine:
echo "@cert-authority www1.whatsdoom.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPrvMrLPN/zxEfKS5phzZWeAzc6Lv21xxZWkkz7EhDH0VeygkigsU8RYGLKMjTlHXUxc8CQxI8OzrSVUvRJ5//I=" >> ~/.ssh/known_hosts
The previous step helps to avoid messages like:
$ ssh server.example The authenticity of host 'server.example (server.example)' can't be established. ECDSA key fingerprint is SHA256:INbyCz7rwqsj1JN/R9CYTaukuI9WsdwmLqKjkO2VZBB. Are you sure you want to continue connecting (yes/no)?
Perhaps more importantly, you can avoid messages like the following if you ever re-key or recreate a server:
$ ssh server.example @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:INbyCz7rwqsj1JN/R9CYTaukuI9WsdwmLqKjkO2VZBB. Please contact your system administrator. Add correct host key in /home/paul/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/paul/.ssh/known_hosts:1 remove with: ssh-keygen -f "/home/paul/.ssh/known_hosts" -R "server.example" ECDSA host key for server.example has changed and you have requested strict checking. Host key verification failed.
Ensure the CA server is running
On your server ensure that the server is running:
$ step-ca $(step path)/config/ca.json Please enter the password to decrypt /home/paul/.step/secrets/intermediate_ca_key: Please enter the password to decrypt /home/paul/.step/secrets/ssh_host_ca_key: Please enter the password to decrypt /home/paul/.step/secrets/ssh_user_ca_key: 2020/02/25 00:46:37 Serving HTTPS on :8443 ...
Generating keys to connect to remote server
Create a new SSH key pair with a certificate:
$ step ssh certificate paul@whatsdoom id_ecdsa ✔ Provisioner: firstname.lastname@example.org (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 Please enter the password to encrypt the private key: ✔ Private Key: id_ecdsa ✔ Public Key: id_ecdsa.pub ✔ Certificate: id_ecdsa-cert.pub ✔ SSH Agent: yes
If you generated your CA without the SSH keys the output when attempting to generate a certificate will look like this:
$ step ssh certificate paul@whatsdoom id_ecdsa ✔ Provisioner: email@example.com (JWK) [kid: 7KFMEf7OPkG_QBk47O7epR-yWwl7k8H1scbSEhuGgeA] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 The requested method is not implemented by the certificate authority. Please see the certificate authority logs for more info. Re-run with STEPDEBUG=1 for more info.
Pass additional usernames that the certificate allowed to use:
step ssh certificate --principal paul --principal ubuntu paul@whatsdoom id_ecdsa
Renewing the cert for an existing SSH key pair:
$ step ssh certificate --sign --principal admin --principal ubuntu paul@whatsdoom id_ecdsa.pub ✔ Provisioner: firstname.lastname@example.org (JWK) [kid: S3ayxHbapfYPGIxr7W1PM1BRbAYE5Is4FfE1Cle-9xU] ✔ Please enter the password to decrypt the provisioner key: ✔ CA: https://ca.whatsdoom.com:8443 ✔ Certificate: id_ecdsa-cert.pub
Checking a signed key using the generated cert file:
$ ssh-keygen -L -f ~/.ssh/id_ecdsa-cert.pub /Users/paul/.ssh/id_ecdsa-cert.pub: Type: email@example.com user certificate Public key: ECDSA-CERT SHA256:MYLK470SnLvBqV6zsCS76oYkHj+x0QO96lcbtvvUmTk Signing CA: ECDSA SHA256:PRrktIoVIOwFb/V/ckl0FDSMULNP4dVEuGx1ks0417c Key ID: "paul@whatsdoom" Serial: 6336785949649563520 Valid: from 2020-02-25T01:07:55 to 2020-02-25T17:08:55 Principals: paul Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc