How to generate a temporary key for SSH authentication using a physical security key & certificate authority?



The software '

OpenSSH ' that operates the server remotely, which is used all over the world, generally uses public key authentication as the authentication method, but it is also possible to perform authentication by a certificate authority. Engineer Carl Tashian explains how to use a physical security key as the private key of a certificate authority to maintain high security and generate a temporary key.

SSH Emergency Access
https://smallstep.com/blog/ssh-emergency-access/

The SSH authentication method explained this time is not the usual authentication method 'register the public key in the authorized_keys of the host and authenticate using the private key from the client', but 'create a certificate authority'. It is trusted on the server side and authenticated with a private key signed by a certificate authority. ' By setting the expiration date when signing the certificate authority, it is possible to generate a temporary private key.

The following items should be prepared for SSH certification by a certificate authority.

・ Physical security key corresponding to resident key
· A safe place to store your physical security key
OpenSSH version 8.2 or higher

The YubiKey 5 series is compatible with resident keys and can be used with this method.

Security token 'YubiKey 5Ci' that allows two-step verification just by physically inserting it into the iPhone --GIGAZINE



Regarding the specific setup, Tashian explains as follows. First, specify 'ecdsa-sk' added in OpenSSH 8.2 as the key type, and create a key pair of the certificate authority with the ssh-keygen command. After executing the command, the public key 'sk-user-ca.pub' required to approve the certificate authority on the server and the private key of the certificate authority installed in the security key 'sk-user-ca' 'Is said to be generated.

[code] ssh-keygen -t ecdsa-sk -f sk-user-ca -O resident -C [security key ID] [/ code]



Next, add the following description to the server configuration file '/etc/ssh/sshd_config' and set the server to trust the certificate authority registered in '/etc/ssh/ca.pub'. Add the contents of the 'sk-user-ca.pub' generated earlier to '/etc/ssh/ca.pub'.

[code] TrustedUserCAKeys /etc/ssh/ca.pub [/ code]



After completing the settings, restart the SSH server for the settings to take effect. Now you can make an SSH connection from the client using the encryption key signed by the certificate authority.

[code] systemctl sshd restart [/ code]



Next, create a key pair to be used on the SSH client side.

[code] ssh-keygen -t ecdsa -f emergency [/ code]



Of the created key pairs, the private key is signed by the private key of the certificate authority. The following command sets a deadline to allow access to a user named 'ubuntu' on the server for only 10 minutes before and after.

[code] ssh-keygen -s sk-user-ca -I test-key -n ubuntu -V -5m: + 5m emergency [/ code]



After that, you can make an SSH connection by specifying the signed private key with the ssh command. If you want to share the SSH authentication key, send the 'emergency' file and the certificate 'emergency-cert.pub' to the other party.

[code] ssh -i emergency ubuntu @ my-hostname [/ code]



The method explained by Mr. Tashian uses a physical security key to improve security, but if you specify 'ecdsa' etc. as the key type of the certificate authority, it is possible to perform SSH authentication by the certificate authority itself. is.

Related Posts:

in Software,   Hardware, Posted by darkhorse_log