| bin | ||
| .editorconfig | ||
| .gitignore | ||
| .perltidyrc | ||
| Makefile.PL | ||
| README.md | ||
SSH with certificates
This tool helps creating/managing SSH certificates.
Background
Accessing SSH servers needs authentication. This can be done using password authentication or using key based authentication. Password authentication is considered as bad; from the security point of view key based authentication is the preferred way.)
But:
- Keys are not bound to user identities.
- Keys do not expire.
- Keys need management on the remote systems (
authorized_keysfile) - …
Using SSH certificates solves several of these issues.
If you create a SSH CA (just a key pair) and distribute the public key of this CA as a "cert-authority" to the remote systems, all public keys, that are signed by this authority are able to access the remote systems.
(If you see similarities to X509: there are some. But SSH certificates are not X509 certificates.)
Initialization
Create the keypair for your CA (and some directory structure):
ssh-ca init <name-of-the-CA>
This creates a new directory structure:
<name-of-the-CA>
+--- private/ca_rsa
| ca_rsa.pub <--- public CA key
+--- tmp/
+--- issued/
+--- requests
The public key you should install on the remote systems as a cert-authority:
# .ssh/authorized_keys
cert-authority ssh-rsa…
Git integration
If you want to track your CA activities in Git, just create a new repo
in <name-of-the-CA>:
cd <name-of-the-CA>
git init
echo private/ca_rsa > .gitignore
git add .gitignore private
git commit -m 'Initial commit'
Now further actions will be tracked by Git automatically.
Operating
To be completed