Ssh cert authentication
Create a script to sign the cert¶
cat > bastion_cert_mac.sh << EOF
#!/usr/bin/env bash
usage="$0 developer_ldap_name developer_machine_name ssh_public_key_path ca_name ca_private_key_file cert_life_span<e.g. +90d>"
DEVELOPER=$1
HOST=$2
SSH_KEY=$3
CA_NAME=$4
CA_FILE=$5
CERT_LIFE_SPAN=$6
if [ $# -lt 6 ]; then
echo "Usage: $usage"
exit 1
fi
SSH_KEY_FINGERPRINT=`ssh-keygen -l -E md5 -f $SSH_KEY | cut -d' ' -f 2 | cut -c 5-`
VALID_TO_TEXT=`date -jv $CERT_LIFE_SPAN "+%Y/%m/%d %H:%M:%S"`
KEY_ID="for[$DEVELOPER] host[$HOSTNAME] ssh_key[$SSH_KEY_FINGERPRINT] ca[$CA_NAME] valid_to[$VALID_TO_TEXT]"
ssh-keygen -s $CA_FILE -I "$KEY_ID" -n "$DEVELOPER" -V $CERT_LIFE_SPAN $SSH_KEY
CERT=${SSH_KEY%.pub}-cert.pub
EOF
create a ssh-keypair. This pub key would be used as the TRUSTEDCAKEY.¶
mkdir ssh
cd ssh
ssh-keygen -o -t rsa -b 4096 -f ca_bastion
In Server's sshd_config add the following line:¶
TrustedUserCAKeys /etc/ssh/cabastion.pub
Create a cert file for user.¶
The cert file is signed using the private keys we created in the above step. The cert file will be created from the user's pub file.
./bastion_cert_mac.sh jkailasam jk-mb ~/.ssh/id_rsa.pub ca_bastion ca_bastion +90d
Copy the cert file to the users system¶
ssh-add
ssh-add -L
Passwd: Brm94nX3RzlGGTc%*w&!0u$jYma5fU4H