How To
Summary
This document provides basic instructions to configure authentication with user certificates in OpenSSH on AIX®.
Objective
This document provides instructions for setting up a simple configuration to support authenticating users through SSH certificates. Fully utilizing the capabilities and security of SSH certificates is complex and beyond the scope of this document. For more information, search the web for tutorials and instructions on the subject.
Environment
This document assumes both the SSH server and SSH client are OpenSSH on AIX. The instructions may or may not work in other environments.
Steps
1. On the SSH server, create a key to sign user keys. The key type can be rsa, ecdsa, or ed25519. (Do not use dsa. It is not secure.) For additional security, put a passphrase on the key to prevent unauthorized use.
# cd /etc/ssh # ssh-keygen -t ed25519 -f ca_user_signing_key -q Enter passphrase (empty for no passphrase): Enter same passphrase again:
2. Add the SSH user signing key to the /etc/ssh/sshd_configuration file on the SSH server with the TrustedUserCAKeys option.
TrustedUserCAKeys /etc/ssh/ca_user_signing_key.pub
3. If the user does not already have a public/private key pair, they must generate the keys in the .ssh directory in their home directory. Have them run the following commands to create the key pair. If creating these keys is done on behalf of the user, be sure to change the ownership of the .ssh directory and the key files to the user and their primary group. Valid key types are rsa, ecdsa, and ed25519. (Do not use dsa.) For additional security, put a passphrase on the key to prevent unauthorized use. Note: if the key pair is protected with a passphrase, the user must enter that passphrase each time they log in.
$ mkdir $HOME/.ssh $ chmod 700 $HOME/.ssh $ ssh-keygen -t ed25519 $ chmod 600 id_ed25519*
4. Add the user's public key to their $HOME/.ssh/authorized_keys file on the SSH server.
$ cat id_ed25519.pub >> $HOME/.ssh/authorized_keys
5. Provide a copy of the user's public key to the administrator of the SSH server so that they can generate an SSH user certificate on behalf of the user. The administrator does not need the key's passphrase.
6. On the SSH server, generate the SSH user certificate using the server's user signing key and the user's public key. You must specify a label (arbitrary text to describe the certificate) with the -I flag, and the names of the user or users the user may log in as on the SSH server. Use commas to separate multiple user names. In this example, the user name is "user1", the user is allowed to log in on the SSH server as "user1" and "user2", and the user's public key has been copied to the /tmp directory on the SSH server. The ssh-keygen command will create the certificate file in the same directory as the public key. The certificate file is named the same as the public key with "-cert" added just before the ".pub" suffix. If a passphrase was set on the SSH user signing key in step one, the ssh-keygen command prompts you for it.
# ssh-keygen -s /etc/ssh/ca_user_signing_key -I "Certificate for user1" -n user1,user2 /tmp/id_ed25519.pub
7. Copy the SSH user certificate to the user's $HOME/.ssh directory. In this example, the certificate file /tmp/id_ed25519-cert.pub on the SSH server is copied to the user's $HOME/.ssh directory on the SSH client. If the certificate is copied on behalf of the user, be sure to set its ownership and permissions appropriately.
8. Either in the /etc/ssh/ssh_config or in the user's $HOME/.ssh/config file, add a CertificateFile entry so that the ssh command will look for the certificate file. If this option is not set, the ssh command will ignore the user's certificate. In this example, the user's certificate file has been copied to $HOME/.ssh/id_ed25519-cert.pub. The ssh command automatically adds ".pub" to the end of the file name, so you can omit it with the CertificateFile option.
On the SSH client, run one of these commands.
echo "CertificateFile ~/.ssh/id_ed25519-cert" >> /etc/ssh/ssh_config
echo "CertificateFile ~/.ssh/id_ed25519-cert" >> $HOME/.ssh/config
9. When the user logs in to the SSH server, they are authenticated using the SSH user certificate on the SSH client.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvwrAAA","label":"Communication Applications"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 March 2024
UID
ibm17124735