Skip to content

tillitis/tkey-ssh-ca

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSES
LICENSES
 
 
.editorconfig
.editorconfig
 
 
.golangci.yml
.golangci.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
REUSE.toml
REUSE.toml
 
 
gencert.go
gencert.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

A simple SSH Certificate Authority

Current state: Proof of concept.

A small SSH server that generates SSH user certs on demand over an SSH connection.

You connect to the CA with SSH, using your SSH agent to authenticate, possibly using the tkey-ssh-agent to talk to a Tillitis TKey. If successful, you get a cert back that you can pipe or paste into a file. Use it like this:

$ ssh -p 2222 user@localhost > cert.pub

The cert will be valid and limited to the user name you use here. All user names are accepted if your public key is in the list of authorized keys.

You can then use the certificate to login with SSH to servers which trust the same CA pubkey:

ssh -i cert.pub user@some-ssh-server

The CA can also sign the cert using a TKey. The connection with the the TKey happens transparently through the use of tkey-ssh-agent running both on the CA server and your machine.

Nota bene: The TKey is (so far) not required to use this program.

Rationale

  • System owners don't want to manage individual public keys on the servers or embedded systems.

  • Instead, they only install a trusted CA public key on all servers.

  • The system owner hands out certs to all trusted users who want to use the servers.

  • The certs can be time-limited, perhaps even very limited, like an hour.

  • We want to show that you can use the Tillitis TKey both as the CA's private key and as the user's long-lived identity.

  • In this scenario with tkey-ssh-ca the system owner can hand out TKeys to the users, record the public key (with no or a known USS) as allowed users.

  • The users can then request short-lived certs at will.

Setup

You need to generate a host key pair to identify the host running the ssh-ca:

$ ssh-keygen -t ed25519

Call it host_ed25519.

You need the [tkey-ssh-agent](https://github.com/tillitis/tkey-ssh-agent/] installed and running on both the CA server and the user's machine.

Make sure the ssh-keygen command is available.

If you don't want to touch the TKey every time the CA generates a cert look into the documentation to compile the tkey-ssh-agent and the corresponding tkey-device-signer without the touch requirement.

After starting the tkey-ssh-agent (possibly with a USS), get the public key of your CA's key pair, typically with ssh-add -L. Place the key in a file called ca_key.pub in the ssh-ca directory.

Note that if you're trying this out on the same machine you can use the same pubkey both for the CA and the user. You will then be expected to touch your TKey twice: first when authentication to tkey-ssh-ca, then to sign the new cert.

Get the users' public keys and place them in authorized_keys in the tkey-ssh-ca directory, one per line in this format:

ssh-ed25519 AAAA... key-id@domain

Insert the TKey in the CA server.

Start the CA server:

$ ./tkey-ssh-ca

Development

tkey-ssh-ca currently depends the tkey-ssh-agent running on the CA server, too. This might change. It might, instead, connect to the TKey directly.

About

A simple SSH Certificate Authority

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages