OpenSSH - SSH Certificates

Показать описание

Today I will be looking at using openssh key pairs to replace the openssh password, however with a bit of a difference. Instead of using just host and user keys, I will be configuring OpenSSH Server and OpenSSH client to use host and user certificates.
Note: This is a step up from using SSH public and private keys for your host and users

00:00 - Intro
00:28 - Host & User Certificates for OpenSSH
00:48 - OpenSSH key management
01:44 - Public Key and Passwords
02:49 - Trust on First Use (TOFU)
05:13 - Best Practice - Use SSH Certificates
07:20 - Create Host CA keys
08:20 - Host Certificate
11:26 - Best Practice - Use Separate Host and User CAs
12:40 - Create User CA
13:06 - Generate or re-use existing Host Keys
13:40 - Sign the Host Certificates
14:48 - Copy Host Keys and Host Cert to SSH Server
15:53 - Configure SSH Clients to use Host Certificates
17:11 - User Keys
17:30 - Sign User Public Key
18:28 - Copy User Keys and User Cert to User Home Dir
18:47 - Configure TrustedUserCAKeys
19:34 - Other Best Practices
20:19 - What we covered
21:01 - Outro

Follow me:
Twitter @djware55

Licensed under Creative Commons: By Attribution 4.0 License

Licensed under Creative Commons: By Attribution 4.0 License

Werq by Kevin MacLeod

Industrial Cinematic by Kevin MacLeod

Music Used in this video
Licensed under Creative Commons: By Attribution 3.0 License

#ssh #openssh #opensshcert

Рекомендации по теме

Комментарии

Feeling stupid is the price we pay for learning new stuff. Thanks for another informative video!

KroshkaMu

I have now watched and paid attention to all of the current video uploads on SSH--Great. Thank You.

dezmondwhitney

My dude DJ Ware, just like everyone else here - shout out to all you mah peers I haven't met yet :nerd: -, be it a distro review, a file system review, or anything related to the good ol' OpenSSH, keep the good stuff coming!! 👊

madbananas

Demo is always good. It is slower but one can think/digest the information while you type commands in. :-)

xuldevelopers

This is a great series. Didn't know ssh supported certificates like this.
There are a lot of quality of life features hidden away in the docs and config files if you just look for them.

andynn

Keyboard fumbling is educational so fumble away.
Jokes aside, seeing the action performed as it is discussed is a more stimulating experience. With audio and static text I tend to just read ahead and then it's easy to miss points being made in the discussion.

andynn

You sound like Jeff Bridges and it's oddly soothing. Thanks for the great video!

Subbeh

Love this very helpful series on SSH!
I for one would very much like to see a demo!
Would help me understand the process a bit better.

YouIos

I refer to something called PKI in this video, Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. There is no such thing as "lightweight" PKI as this video talks about, I use it to describe something which falls short of full PKI compliance.

CyberGizmo

As always watching your video, I learned something new today. Thank you.

KillSwitchI

Doing it for a while now. It's amazing since you can create and revoke certificates as you wish. And with time limits. It's a great way to give access to "strangers" to one of your maschines i love it. Btw. it's the same stuff they use for the covid apps in Europe.

durschfalltv

Hi DJ Ware, you talk about a lot of best practices for SSH, I'm surprised you didn't mention setting up a central certificate directory since you mention so much about key management. I've seen many places that implemented SSH to use /etc/ssh/Authorized_Keys/%u, with the filename/cert in that directory being the username.

There are some permissions that need to be set correctly but isn't that a better practice than letting users store it in ~/.ssh.

I would think managing a single sync in a single location instead of updates at every logon would seem like less overall management overhead of the keys. What are your thoughts on that? Are there any good reasons to not do this?

thethan

Top notch again thanks for this. I was guilty as well for a bad ssh hygiene and use TOFU (your slide showed that the minority uses it? I guess it is rather the majority), but this is the very next I'll do.
But, how do you deal with cloud servers. You will have no access physical so you basically beef to trust it for the very first setup. I haven seen any cloud Provider for having a solution to verify the connection hasn't been tampered with.

marcello

Is possible to put user private cert key into /etc/ssh for security, you know, in case the user’s password were guessed, or something?

egbertst

OpenSSH - SSH Certificates

OpenSSH - SSH Certificates

What are SSH Certificates? How are They Different Than SSH Keys?

SSH Keys

Learn SSH In 6 Minutes - Beginners Guide to SSH Tutorial

SSH Key Authentication | How to Create SSH Key Pairs

Complete SSH Tutorial: All-in-One Guide for Secure Connections

BSidesSF 2020 - If You’re Not Using SSH Certificates You’re Doing SSH Wrong (Mike Malone)

DevSecCon Ignites: Stopping the Hassle of SSH Keys by Using SSH Certificates, Oded Hareven, Akeyless

Getting Started with OpenSSH Key Management

How SSH Works

SSH Certificates: a way to scale SSH access

SSH Zugang einrichten

How to Install an SSH Certificate

How to SSH Without a Password (like a boss)

Linux - Использование SSH ключа вместо Пароля | SSH Key Pair

OpenSSH Certificate Authorities by Tim Fletcher

How SSH password-less key based authentication work in 4 minutes (with example)

Public Key Authentication mit SSH

SSH Key Linux secure remote authentication to your Server

Configuring SSH Public Key Authentication on Windows Server 2022

🐱Generate a New SSH Key and Add it to your GitHub

'Zero Trust SSH' - Jeremy Stott (LCA 2020)

Does WinSCP work with OpenSSH SSH certificates?

SSH Certificate Authority Rocky Linux 8