A very simple SSH CA service with only 150 lines of Python code.
OpenSSH user certificate is a better authentication solution than the traditional public key.
But there is a small problem: how to sign SSH keys for many users?
We have hundreds of Linux nodes and different roles (deploy/dev/ops) for many users. For example, the deploy/dev roles can ssh to a specific node, but the ops role can ssh to all the nodes.
It’s difficult to get those things done without an automatic solution.
The idea is very simple:
- To sign a key for a user, we MUST have his SSH public key.
- If we have his SSH public key, we can authenticate him by that key.
So, the solution is straightforward:
- User uses ssh to connect to the SSH CA service
- The SSH CA service authenticates him by his public key, signs the key, and returns the signed key to him.
There are a CA admin and many SSH users.
Every SSH user must:
- choose him username, “user1” for example.
- generate his SSH key pair:
ssh-keygen -t ed25519
- send his public file to CA admin, filename is user1.pub.
Create /etc/sshca/ with the following files/dirs:
- ca: The CA private key file.
- ssh-host-key: Host key for CA’s SSH service.
- config.json: as the example.
- users/: contains users’s SSH public keys
- users/user1.pub: user1’s public SSH key
Then starts the SSH CA service by
python3 main.py which will listen on port 65022.
Request a signed key
ssh ssh://firstname.lastname@example.org:65022 ops
Then copy the returned key to ~/.ssh/id_ed25519-cert.pub.
scp scp://email@example.com:65022/ops.pub .
If ‘enable_scp’ is true in config.json.
- read-only sftp/scp
- cert cache