Authenticating SSH Host Certificates (client)

Similar to the SSH User Certificates story, it is also possible to authenticate hosts via client side certificate authority authentication. An SSH Server Certificate Authority signs server certificates and the client only needs to be aware of the CA's public key.

  1. Using an air gapped computer, generate the server certificate authority:

    ❯ ssh-keygen -C "SSH Server Certificate Authority" -f
  2. Sign the host public key using the server certificate authority:

    ❯ ssh-keygen -s -I <identity> -h -n <hostname> -V +52w /etc/ssh/
    Signed host key /etc/ssh/ id "" serial 0 for valid from 2016-12-10T00:10:00 to 2017-12-09T00:10:10
  3. Update /etc/ssh/sshd_config to include the new host certificate:

    HostCertificate /etc/ssh/
  4. Add the certificate authority to the local ssh client (~/.ssh/known_hosts):

    @cert-authority * <content of>

results matching ""

    No results matching ""