Ssh cert authentication

Create a script to sign the cert

cat > bastion_cert_mac.sh << EOF
#!/usr/bin/env bash

usage="$0 developer_ldap_name developer_machine_name ssh_public_key_path ca_name ca_private_key_file cert_life_span<e.g. +90d>"

DEVELOPER=$1
HOST=$2
SSH_KEY=$3
CA_NAME=$4
CA_FILE=$5
CERT_LIFE_SPAN=$6

if [ $# -lt 6 ]; then
        echo "Usage: $usage"
        exit 1
fi

SSH_KEY_FINGERPRINT=`ssh-keygen -l -E md5 -f $SSH_KEY | cut -d' ' -f 2 | cut -c 5-`

VALID_TO_TEXT=`date -jv $CERT_LIFE_SPAN "+%Y/%m/%d %H:%M:%S"`

KEY_ID="for[$DEVELOPER] host[$HOSTNAME] ssh_key[$SSH_KEY_FINGERPRINT] ca[$CA_NAME] valid_to[$VALID_TO_TEXT]"

ssh-keygen -s $CA_FILE -I "$KEY_ID" -n "$DEVELOPER" -V $CERT_LIFE_SPAN $SSH_KEY

CERT=${SSH_KEY%.pub}-cert.pub
EOF

create a ssh-keypair. This pub key would be used as the TRUSTEDCAKEY.

mkdir ssh
cd ssh
ssh-keygen -o -t rsa -b 4096 -f ca_bastion

In Server's sshd_config add the following line:

TrustedUserCAKeys /etc/ssh/cabastion.pub

Create a cert file for user.

The cert file is signed using the private keys we created in the above step. The cert file will be created from the user's pub file.

./bastion_cert_mac.sh jkailasam jk-mb ~/.ssh/id_rsa.pub ca_bastion ca_bastion +90d

Copy the cert file to the users system

ssh-add
ssh-add -L

Passwd: Brm94nX3RzlGGTc%*w&!0u$jYma5fU4H