dockerfiles/ssh-ca at master · tecris/dockerfiles

History

Name		Name	Last commit message	Last commit date
parent directory ..
volatile		volatile
Dockerfile.host		Dockerfile.host
Dockerfile.ssh		Dockerfile.ssh
Dockerfile.user		Dockerfile.user
build_host_image.sh		build_host_image.sh
build_image.sh		build_image.sh
build_ssh_base_image.sh		build_ssh_base_image.sh
build_user_image.sh		build_user_image.sh
docker-compose.yml		docker-compose.yml
readme		readme
run.sh		run.sh
test.sh		test.sh
using_ssh_certificates.pdf		using_ssh_certificates.pdf

readme


./build_ssh_base_image.sh

docker volume create --name volume_zero
docker run -v volume_zero:/keys org.tecris/ssh:23.05.16 rm -rf /keys/*

docker run -v volume_zero:/keys org.tecris/ssh:23.05.16 ssh-keygen -t ed25519 -f /keys/user_ca_key -C "CA key for user" -q -N ""
docker run -v volume_zero:/keys org.tecris/ssh:23.05.16 ssh-keygen -t ed25519 -f /keys/host_ca_key -C "CA key for host" -q -N ""
docker run -v volume_zero:/keys org.tecris/ssh:23.05.16 ls -l /keys

docker run --name volume_helper -d -v volume_zero:/keys busybox:1.37 true
docker cp volume_helper:/keys .

./build_host_image.sh
./build_user_image.sh

docker compose up -d
# following should work
docker exec -it -u django sevilla ssh rango@alhambra
docker exec -it -u django sevilla ssh rango@cordoba
docker exec -it -u django sevilla ssh django@alhambra
docker exec -it -u django sevilla ssh django@cordoba

# this one should prompt The authenticity of host 'toledo' can't be established.
# following should not work (result in either prompt for accepting fingerprint or Permission denied)
docker exec -it -u django sevilla ssh rango@toledo
docker exec -it -u django sevilla ssh django@toledo
docker exec -it -u django sevilla ssh pegasus@alhambra
docker exec -it -u django sevilla ssh pegasus@cordoba
docker exec -it -u django sevilla ssh pegasus@toledo

ssh-keygen -L -f id_ecdsa-cert.pub

how to check if public/private key match
diff <(ssh-keygen -y -e  -f keys/user_ca_key) <(ssh-keygen -y -e  -f keys/user_ca_key.pub)

Reference:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys
https://dev.to/gvelrajan/how-to-configure-and-setup-ssh-certificates-for-ssh-authentication-b52
https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
https://ibug.io/blog/2019/12/manage-servers-with-ssh-ca/
https://jameshfisher.com/2018/03/16/how-to-create-an-ssh-certificate-authority/
https://linux-audit.com/granting-temporary-access-to-servers-using-signed-ssh-keys/
https://smallstep.com/blog/use-ssh-certificates/
https://thinkingeek.com/2020/06/06/using-ssh-certificates/
https://www.lorier.net/docs/ssh-ca.html


https://medium.com/better-programming/how-to-use-ssh-certificates-for-scalable-secure-and-more-transparent-server-access-720a87af6617


When an SSH client opens an SSH connection to an SSH server, there are a couple of trust issues to resolve. 
 * he server needs to know whether this is truly an authorized client, and,
 * the client needs to know whether the server is truly the server it claims to be.

Problem is solved by using CA that is trusted by both client/user and server.

How the server knows this is an authorized client?
1. Create User CA
 1.1 ssh-keygen -t ed25519 -f /keys/user_ca_key -C "CA key for user" -q -N ""
2, User public key gets signed with User CA (issue user certificate)
 2.1 ssh-keygen -s user_ca \
      -I "user_name" \
      -n userid1 \
      -V +52w \
      id_ed25519.pub
      Explanation: This will create a file id_ed25519_key-cert.pub (mind the -cert before .pub) that has to be copied in $HOME/.ssh/id_ed25519-cert.pub
3. Server trusts User CA
 3.1 Copy USER CA public key to server, for instance `/etc/ssh/user_ca_key.pub`, and,
 3.2 configure ssh server, add following line "TrustedUserCAKeys /etc/ssh/user_ca_key.pub" in /etc/ssh/sshd_config
 3.3 restart sshd server
4. Client presents certificate to server
5. Server provides access if certificate is valid

How the client knows the server is truly the server it claims to be?
1. Create Host CA
 1.1 ssh-keygen -t ed25519 -f /keys/host_ca_key -C "CA key for host" -q -N ""
2. Configure user to trust Host CA
 2.1 add line `@cert-authority *.example.com ssh-ed25519 AAAA...` to either
  2.1.1 `/etc/ssh/ssh_known_hosts` (for system-wide trust), or,
  2.1.2 `$HOME/.ssh/ssh_known_hosts` (for individual trust)
3. Configure host
 3.1 Create host certificate
  3.1.1 ssh-keygen -s host_ca \
            -I "ServerMachine1" \
            -h \
            -n ServerMachine1.example.com \
            -V +52w \
            ssh_host_ed25519_key.pub
 3.2 Configure sshd to offer the certificate to all in coming SSH connections
  3.1 Edit file /etc/ssh/sshd_config and add the following line
    `HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub`
  3.2 Restart SSH server

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

readme

FilesExpand file tree

ssh-ca

Directory actions

More options

Directory actions

More options

Latest commit

History

ssh-ca

Folders and files

parent directory

readme