Anyone using ssh certificates for logins instead of keys?
-
While I was looking at good solutions to distribute and keep track of keys for ssh logins, I came across that you can nowadays use ssh certificates instead. Then there is no need to distribute keys. It seems like a much, much better solution than keys in several ways. However it's not that common I think.
Anyone here that has implemented certificates for ssh instead of keys?
-
@pete-s said in Anyone using ssh certificates for logins instead of keys?:
While I was looking at good solutions to distribute and keep track of keys for ssh logins, I came across that you can nowadays use ssh certificates instead. Then there is no need to distribute keys. It seems like a much, much better solution than keys in several ways. However it's not that common I think.
Anyone here that has implemented certificates for ssh instead of keys?
No, because it is not really a benefit at small scale. Not that it is hard either.
It is the only way to do anything at large scale IMO though.
I've been meaning to migrate to it for a while and write some guides.
But meh, never been a priority.
-
Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.
-
@scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:
Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.
No, I mean SSH certificates.
The ssh client has a certificate that is signed by a trusted CA (your own). The server has also a certificate that is signed by a trusted CA. Now the server and the client are sure that they both are who they say they are.
But I'm pretty sure you could use SSL certificates as well for ssh. But I think I read somewhere that there will not be much benefit. I haven't figured out the exact difference, except that SSL is x509 and I think SSH certificates are not.
-
@pete-s said in Anyone using ssh certificates for logins instead of keys?:
@scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:
Do you mean SSL certificates? Should be almost identical to using regular keys. Handy at scale for sure. But have not done it. Would love feedback on it.
No, I mean SSH certificates.
The ssh client has a certificate that is signed by a trusted CA (your own). The server has also a certificate that is signed by a trusted CA. Now the server and the client are sure that they both are who they say they are.
But I'm pretty sure you could use SSL certificates as well for ssh. But I think I read somewhere that there will not be much benefit. I haven't figured out the exact difference, except that SSL is x509 and I think SSH certificates are not.
This was my source of information:
Using public key cryptography for authentication requires copying the public key from every client to every server that the client intends to log into. This system does not scale well and can be an administrative burden. Using a public key from a certificate authority (CA) to authenticate client certificates removes the need to copy keys between multiple systems. While the X.509 Public Key Infrastructure Certificate system provides a solution to this issue, there is a submission and validation process, with associated fees, to go through in order to get a certificate signed. As an alternative, OpenSSH supports the creation of simple certificates and associated CA infrastructure.
-
@pete-s said in Anyone using ssh certificates for logins instead of keys?:
except that SSL is x509 and I think SSH certificates are not.
Oh, I thought that they were both x509.
-
They do not, you are right. They don't use x509 certs, but they use the same algorithms as TLS (because it's OpenSSL under the hood.) So same security, different cert. By default, at least.
-
Certificates are better because you no longer need to manage keys for users.
Everyone gets a cert from a trusted CA.
Certs expire. If you tie the user cert to some SSO system with 2FA you are super secure for generation of a cert that is only good for say 24 hours.
The ssh users simply validate themselves once a day.
Dealing with keys at scale is absolutely a mess
-
The problem with certs is the infrastructure to setup a trusted CA and the generation of certs to users.
But once setup it is permanent and secure.
-
@scottalanmiller said in Anyone using ssh certificates for logins instead of keys?:
They do not, you are right. They don't use x509 certs, but they use the same algorithms as TLS (because it's OpenSSL under the hood.) So same security, different cert. By default, at least.
Thinking about it, we already create and manage user certificates for OpenVPN. I think they are x509 TLS/SSL certificates. Maybe we could use the same infrastructure to manage SSH certificates or perhaps use SSL certificates for ssh instead...
Need to research some more...
-
This is the main way Vault handles SSH creds. It will act as your CA and assign dynamic certs for you.
-
This is the difference between regular x509 certificates and the SSH certificates.
-
- OpenSSH can use host certificates to verify the host (like SSL certs on a webserver).
- OpenSSH can also use user certificates to verify the user (like passwords or ssh keys).
Both these types of cert to be used independently of each other.
I've tested using user certificates to authorize user login, since that is what most
people do with keys. People never really verify the host identity.It works great and it's actually very simple. This will be my new SOP going forward.
Before starting to add hosts and users you need to create a Certificate Authority (CA) - which is actually just a key pair. It's a one-liner.
Every time you create a new host, you just need to copy the same file to it - the public key of the CA. And change one line in sshd_config to allow ssh certificates.
Every time you have a new user on your team who need access to servers, you have to generate a certificate for him. It's a one liner. He will copy the certificate to his own machine. And the ssh client will automatically send the certificate when needed.
Generating certificates is the part that could be automated. You could for instance be given a certificate that expires in 5 minutes. That would allow you to login and stay logged in. But if you need to login again, you need to generate a new certificate.
