ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Anyone using ssh certificates for logins instead of keys?

    IT Discussion
    ssh ssh keys certificate certificate authority
    4
    13
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1337
      last edited by 1337

      While I was looking at good solutions to distribute and keep track of keys for ssh logins, I came across that you can nowadays use ssh certificates instead. Then there is no need to distribute keys. It seems like a much, much better solution than keys in several ways. However it's not that common I think.

      Anyone here that has implemented certificates for ssh instead of keys?

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @1337
        last edited by

        @pete-s said in Anyone using ssh certificates for logins instead of keys?:

        While I was looking at good solutions to distribute and keep track of keys for ssh logins, I came across that you can nowadays use ssh certificates instead. Then there is no need to distribute keys. It seems like a much, much better solution than keys in several ways. However it's not that common I think.

        Anyone here that has implemented certificates for ssh instead of keys?

        No, because it is not really a benefit at small scale. Not that it is hard either.

        It is the only way to do anything at large scale IMO though.

        I've been meaning to migrate to it for a while and write some guides.

        But meh, never been a priority.

        1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller
          last edited by

          Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.

          1 1 Reply Last reply Reply Quote 0
          • 1
            1337 @scottalanmiller
            last edited by

            @scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:

            Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.

            No, I mean SSH certificates.

            The ssh client has a certificate that is signed by a trusted CA (your own). The server has also a certificate that is signed by a trusted CA. Now the server and the client are sure that they both are who they say they are.

            But I'm pretty sure you could use SSL certificates as well for ssh. But I think I read somewhere that there will not be much benefit. I haven't figured out the exact difference, except that SSL is x509 and I think SSH certificates are not.

            1 scottalanmillerS 2 Replies Last reply Reply Quote 0
            • 1
              1337 @1337
              last edited by

              @pete-s said in Anyone using ssh certificates for logins instead of keys?:

              @scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:

              Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.

              No, I mean SSH certificates.

              The ssh client has a certificate that is signed by a trusted CA (your own). The server has also a certificate that is signed by a trusted CA. Now the server and the client are sure that they both are who they say they are.

              But I'm pretty sure you could use SSL certificates as well for ssh. But I think I read somewhere that there will not be much benefit. I haven't figured out the exact difference, except that SSL is x509 and I think SSH certificates are not.

              This was my source of information:

              Using public key cryptography for authentication requires copying the public key from every client to every server that the client intends to log into. This system does not scale well and can be an administrative burden. Using a public key from a certificate authority (CA) to authenticate client certificates removes the need to copy keys between multiple systems. While the X.509 Public Key Infrastructure Certificate system provides a solution to this issue, there is a submission and validation process, with associated fees, to go through in order to get a certificate signed. As an alternative, OpenSSH supports the creation of simple certificates and associated CA infrastructure.

              https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @1337
                last edited by

                @pete-s said in Anyone using ssh certificates for logins instead of keys?:

                except that SSL is x509 and I think SSH certificates are not.

                Oh, I thought that they were both x509.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  They do not, you are right. They don't use x509 certs, but they use the same algorithms as TLS (because it's OpenSSL under the hood.) So same security, different cert. By default, at least.

                  1 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch
                    last edited by

                    Certificates are better because you no longer need to manage keys for users.

                    Everyone gets a cert from a trusted CA.

                    Certs expire. If you tie the user cert to some SSO system with 2FA you are super secure for generation of a cert that is only good for say 24 hours.

                    The ssh users simply validate themselves once a day.

                    Dealing with keys at scale is absolutely a mess

                    1 Reply Last reply Reply Quote 1
                    • JaredBuschJ
                      JaredBusch
                      last edited by

                      The problem with certs is the infrastructure to setup a trusted CA and the generation of certs to users.

                      But once setup it is permanent and secure.

                      1 Reply Last reply Reply Quote 1
                      • 1
                        1337 @scottalanmiller
                        last edited by

                        @scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:

                        They do not, you are right. They don't use x509 certs, but they use the same algorithms as TLS (because it's OpenSSL under the hood.) So same security, different cert. By default, at least.

                        Thinking about it, we already create and manage user certificates for OpenVPN. I think they are x509 TLS/SSL certificates. Maybe we could use the same infrastructure to manage SSH certificates or perhaps use SSL certificates for ssh instead...

                        Need to research some more...

                        1 Reply Last reply Reply Quote 0
                        • stacksofplatesS
                          stacksofplates
                          last edited by

                          This is the main way Vault handles SSH creds. It will act as your CA and assign dynamic certs for you.

                          1 Reply Last reply Reply Quote 1
                          • 1
                            1337
                            last edited by

                            This is the difference between regular x509 certificates and the SSH certificates.

                            5649def7-d0af-4957-a683-9227a6c56c02-image.png

                            1 Reply Last reply Reply Quote 0
                            • 1
                              1337
                              last edited by 1337

                              • OpenSSH can use host certificates to verify the host (like SSL certs on a webserver).
                              • OpenSSH can also use user certificates to verify the user (like passwords or ssh keys).

                              Both these types of cert to be used independently of each other.


                              I've tested using user certificates to authorize user login, since that is what most
                              people do with keys. People never really verify the host identity.

                              It works great and it's actually very simple. This will be my new SOP going forward.

                              Before starting to add hosts and users you need to create a Certificate Authority (CA) - which is actually just a key pair. It's a one-liner.

                              Every time you create a new host, you just need to copy the same file to it - the public key of the CA. And change one line in sshd_config to allow ssh certificates.

                              Every time you have a new user on your team who need access to servers, you have to generate a certificate for him. It's a one liner. He will copy the certificate to his own machine. And the ssh client will automatically send the certificate when needed.


                              Generating certificates is the part that could be automated. You could for instance be given a certificate that expires in 5 minutes. That would allow you to login and stay logged in. But if you need to login again, you need to generate a new certificate.

                              1 Reply Last reply Reply Quote 0
                              • 1 / 1
                              • First post
                                Last post