ssh and PKI
Introduction
By default, SSH uses RSA or DSA keys for both host and user authentication. That results in a plethora of trusted keys in users' known_hosts and authorized_keys files. known_hosts, in particular, is ripe for re-editing whenever your favourite hosting service changes the IP address associated with your computing instance changes when you restart it.
In newer releases of OpenSSH we can replace swathes of instance-specific keys with CA-signed trusted keys.
When you ssh to another host, say from userA on hostA to userB on hostB two sets of keys are exchanged:
- a host key is supplied by hostB to userA and is either:
- authenticated against an existing known host in userA's known_hosts file
- is flagged as being a possible Man In The Middle attack if it conflicted in #1.
- is prompted to be added to userA's known_hosts file for future reference
- a user key is supplied by userA to hostB and is authenticated against the set of trusted keys in userB's authorized_keys file
With two sets of keys being exchanged, serving two similar but different purposes, it makes sense for us to use two different CAs for key signing.
Note
CAs are only one level deep and don't use X.509 or other SSL/TLS oriented formats.
I first read about SSH PKI certificates in this post by Blargh and then when chasing up which release of OpenSSH certificates were introduced I found another primer here.
Note
Officially the SSH Certificates code was released in OpenSSH 5.4 however Redhat/CentOS' openssh-5.3p1 contains an almost complete version.
Note
This thread on The default OpenSSH key encryption is worse than plaintext on Hacker News firstly enlightens us that the defaults for OpenSSH keys are poor and secondly that actually SSH CA(s) are very useful for short-term keys for logging into boxes.
Document Actions