SSH with Public Key Infrastructure (PKI): Integration and Management

Posted on by Lee Painter

Integrating SSH with Public Key Infrastructure (PKI) provides an additional layer of security by using digital certificates for authentication. This article explores how to integrate SSH with PKI, manage certificates, and the advantages of this approach.

1. Understanding Public Key Infrastructure (PKI)

PKI is a framework for managing digital certificates and public-private key pairs. It involves a Certificate Authority (CA) that issues and verifies certificates, ensuring the authenticity of public keys.

2. Benefits of Using PKI with SSH

Enhanced Security:

  • Certificates are harder to forge and provide a higher level of trust compared to traditional key pairs.

Centralized Management:

  • Centralized control over certificates allows for easier management and revocation.

Scalability:

  • PKI scales well for large environments with many users and devices.

3. Setting Up a Certificate Authority (CA)

  1. Generate a CA Key Pair:
   ssh-keygen -t rsa -b 4096 -f /path/to/ca -C "CA for SSH"
  1. Sign User Keys with the CA:
   ssh-keygen -s /path/to/ca -I user_key_id -n username -V +52w user_key.pub

This command signs the user key with the CA, making it valid for 52 weeks.

  1. Distribute the CA Public Key:
    Add the CA public key to the server’s ~/.ssh/authorized_keys or /etc/ssh/sshd_config:
   TrustedUserCAKeys /path/to/ca.pub

4. Managing SSH Certificates

Creating and Signing Certificates:

  • Use ssh-keygen to create and sign user keys with the CA.

Revoking Certificates:

  • Maintain a Certificate Revocation List (CRL) to manage and revoke certificates as needed.

Automating Certificate Management:

  • Use tools like HashiCorp Vault to automate the issuance and revocation of SSH certificates.

5. Configuring SSH to Use PKI

Server Configuration:

  1. Edit the SSH Configuration File:
   sudo nano /etc/ssh/sshd_config
  1. Specify the CA Public Key:
   TrustedUserCAKeys /path/to/ca.pub
  1. Restart SSH Service:
   sudo systemctl restart ssh

Client Configuration:

  • Clients need to specify the signed certificates when connecting to the server:
   ssh -i /path/to/signed_key user@server

6. Automating SSH Certificate Management with Vault

Setting Up Vault:

  1. Install Vault:
   sudo apt-get install vault
  1. Configure Vault for SSH CA:
   vault write ssh/config/ca generate_signing_key=true
  1. Issue a Certificate:
   vault write ssh/sign/user key_id="user_key_id" public_key=@/path/to/user_key.pub

Conclusion

Integrating SSH with PKI enhances security, centralizes management, and provides scalability for large environments. By setting up a CA, managing certificates, and leveraging tools like Vault, you can create a robust and secure SSH infrastructure.