Generate a ssh key to be used as the certificate authority. You should set a password on this key to protect it well.
$ ssh-keygen -t rsa -b 4096 -f id_rsa.ca
Each server that runs gatewaysshd needs a host key and a signed certificate. Suppose the hostname of the server is gateway-1.example.com. First, we generate the private key and public key pair:
$ ssh-keygen -t rsa -b 2048 -N "" -f id_rsa.gateway-1.example.com
Then we will need to sign the public key id_rsa.gateway-1.example.com.pub for this host using the certificate authority. If you don't own the certificate authority, you may need to send only this .pub file to the certificate authority for them to sign it.
$ ssh-keygen -s id_rsa.ca -I gateway-1.example.com -h -n gateway-1.example.com,gateway-1 -V +52w id_rsa.gateway-1.example.com.pub
-sspecifies the path to your certificate authority-Iis the key identifier, usually we can just use the fully-qualified hostname-his very important, it means this certificate is for use as a host certificate on the server side-nis also very important, it is a comma seperated list of principals for the host certificate, meaning if the user typessh username@hostname,hostnamemust be in this list of principals for the host certificate to be successfully validated-Vspecifies the validity period
Make sure the output of the command above says Signed host key. If it says Signed user key, then you probably forgot to supply the -h argument. After the command succeeds, you should get a file called id_rsa.gateway-1.example.com-cert.pub, that's the host certificate. There are many more options to customize your certificate, see ssh-keygen -h.
To run an instance of gatewaysshd, you will need three files:
id_rsa.gateway-1.example.comis the private key, make sure no group or world access is allowed on this fileid_rsa.gateway-1.example.com-cert.pubis the certificateid_rsa.ca.pubis the certificate authority's public key
For clients that connects to an instance of gatewaysshd, each of them also needs a user key and a signed certificate. This is very similar to the host key and certificate. The only differences are:
-hflag should be absent in order to specify user certificate-nis also a comma seperated list of principals, but it should be a list of usernames instead of hostnames, the user can only use one of the usernames specified in this list of principals to connect
$ ssh-keygen -t rsa -b 2048 -N "" -f id_rsa.john.doe
$ ssh-keygen -s id_rsa.ca -I john.doe -n john.doe,john -V +52w id_rsa.john.doe.pub
The output certificate should be named id_rsa.john.doe-cert.pub. After the user received the signed certificate back from the authority, they should keep all three files together in their ~/.ssh folder:
id_rsa.john.doeis the private key, make sure no group or world access is allowed on this fileid_rsa.john.doe.pubis the public keyid_rsa.john.doe-cert.pubis the certificate
When connecting to the server, the user should use -i ~/.ssh/id_rsa.john.doe to specify the identity, and they also have to use an approved username in the certificate, for example ssh -i ~/.ssh/id_rsa.john.doe john@gateway-1.
To get rid of the The authenticity of host can't be established prompt for your users, you will need to add the public key of the certificate authority in the user's ~/.ssh/known_hosts file in the following format:
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA... [email protected]
*.example.comis the principal that this certificate authority is valid for, obviously it needs to include all of yourgatewaysshdservers
After that, the user will not need to confirm host identity if everything is authenticated successfully.