SSH CA help you to manage SSH public keys in central database without copying all keys to every servers authorized_keys
file. With principals you can allow access only certain servers. Also with SSH CA you can verify you access to correct server without seeing warning on first connection.
Requirements:
- Docker
- MySQL/MariaDB
Generate SSH CA private and public keys. Don't set passwords.
ssh-keygen -f ssh-ca
This is for development and testing use. Use Swarm on production.
git clone git@github.com:olkitu/ssh-ca-signin-service.git
cd ssh-ca-signin-service
docker-compose build
docker-compose up -d
Create Secrets
cat ssh-ca | docker secret create ssh_ca_private -
Deploy stack to Swarm with docker stack deploy -c docker-compose.yml
command.
version: "3.8"
services:
ssh-ca-sign-service:
image: olkitu/ssh-ca-signin-service
ports:
- 22:22
environment:
SSHCA_PUBLIC_KEY: <ssh-ca-public-key>
SSH_CA_HOSTNAME: sshca.example.org
MYSQL_SERVER: mariadb
MYSQL_PORT: 3306
MYSQL_DATABASE: sshca
MYSQL_USER: sshca
MYSQL_PASSWORD: changeme
USERCERT_VALIDITY: -5m:+1d
SSH_CA_SECRET: ssh_ca_private
secrets:
- ssh_ca_private
secrets:
ssh_ca_private:
external: true
Import database schema to MySQL/MariaDB.
Add principals
INSERT INTO principals (name) VALUES ('admin')
Add user to database with SSH public key and principal ID.
INSERT INTO clients (username, pubkey,principals) VALUES ('username','ssh-rsa ...','1');
Now configure your end server trust SSH CA public key
Write SSH CA public key to every servers /etc/ssh/ca.pub
file.
echo "ssh-rsa ..." > /etc/ssh/ca.pub
Configure SSH service /etc/ssh/sshd_config
AuthorizedPrincipalsFile /etc/ssh/authorized_principals/root
TrustedUserCAKeys /etc/ssh/ca.pub
Add allowed pricincipals to authorized_principals
file.
echo "admin" > /etc/ssh/authorized_principals/root
Reload sshd service after file changes.
Save the SSH CA public key to ~/.ssh/known_hosts
file to your computer.
@cert-authority * ssh-rsa ...
Now your computer trust SSH CA Host Certificate when connect to SSH when you connect to service. This is important because the Host Certificate will change everytime you redeploy container.
Finally you can now sign your Host Public key with SSH CA Certificate. Change file name id_rsa-cert.pub
to your public key name if it's different than default.
ssh username@container "sudo /usr/local/bin/sign-ssh-user-cert.sh" > ~/.ssh/id_rsa-cert.pub
And now you should able access to server with root
user and client keys.