Skip to content

Changes

Page history
Update home authored by Batuhan Göker's avatar Batuhan Göker
Show whitespace changes
Inline Side-by-side
home/Gateway/SSH-Certificate-Authentication.md 0 → 100644
View page @ b51e5f26
In this section we will see how the certificate authentication was setup for remote SSH terminal access to the robot.
## Certificate Authority
The first step is to create a Certificate Authority (CA) which we will use to sign each user certificate (public key) that will be used to have terminal access to a remote machine.
If possible, this step as well as any that involves the CA private key should be done on an isolated machine with administrator access.
SSH has it's own binary to generate private and public keys, we begin by creating the SSH CA:
```
ssh-keygen -f smartuha_ssh_ca
```
This will create both a private key named *ssh_ca* and a public key named *smartuha_ssh_ca.pub*
## Host Certificate
Then, we will sign a host public key to give to the sshd service as the host certificate.
In the */etc/ssh* folder, you should have a few public keys available to sign. if not, create one in the same fashion as above when creating the SSH CA.
We can sign it this way:
```
ssh-keygen -h -s /path/to/smartuha_ssh_ca -n domain-name-or-ip-of-the-machine-to-access -I host_cert -V +52w ssh_host.pub
```
The `-h` argument is necessary when signing the host certificate, which will be used in the sshd service configuration and passed to any client to authentify that we are indeed the machine they want to access.
The `-s` argument is to give the path to the CA private key which will sign the certificate.
The `-n` argument is used to specify the domain name of the host.
When accessing the host in SSH the domain name used should correspond to this. If not, the client authentication will still be functionnal, but you would not have any guarantee that the machine to be accessed is the host you wish to reach.
If your machine have no domain name, use the */etc/hosts* file to assign one to it's corresponding IP address, or use an IP address as host name.
The `-I` argument is just something like a label to identify the public key.
The `-V` argument is the amount of time we want this certificate to be valid for. Here it is valid for 52 weeks (~one year).
Finally we give the name of the public key to be signed (*ssh_host.pub*).
This step will create a certificate named *ssh_host-cert.pub* which we will use in the sshd service configuration later on.
## Client Certificate
The client wishing to access the remote machine can create his/her keys the same way as the CA (and the host if it were needed). Let's say the private key is named *ssh_id*, the public key will be named *ssh_id.pub*.
The CA can then sign the public key (which the client sent to it) in this manner:
```
ssh-keygen -s /path/to/smartuha_ssh_ca -I client_cert -n USERNAME -V +52w ssh_id.pub
```
The `-h` argument is not used, as we are signing a client and not a host.
The `-n` argument is taking the client USERNAME on the machine it wants to authenticate as.
If a client wants to reach a machine with the command `ssh john@domain-name.net` USERNAME should be replaced by *john*.
Everything else means the same as the previous example in the host certificate subsection.
A file named *ssh_id-cert.pub* will be generated, which can be sent back to the client along with a copy of the signing CA **public key**, *smartuha_ssh_ca.pub* (not the private key!).
For the client to recognize the host, it must include the CA public key in the known host file.
Let's assume the file *smartuha_ssh_ca.pub contains* the following text content:
```
ssh-rsa AAAAB3... admin@domain-name.net
```
the content that you want to extract is the first keyword and the following string, `ssh-rsa AAAAB3...` (which is much longer in reality).
You want to add it in a new line in the known_hosts file at ~/.ssh along with those keywords:
```
@cert-authority host-machine-domain-name.net ssh-rsa AAAAB3...
```
The domain name of the host machine must be put instead of the one presented above.
For the client to connect, it's private key and public key-certificate must be in this ~/.ssh folder as well (make sure to protect the private key).
## SSH Service Configuration
With all this, you can make a configuration file for the sshd service. We will explain each part:
```
# We must only accept certificates to authenticate a user.
# We disable password authentication to prevent users without certificates to log in anyway.
PasswordAuthentication no
# We disable this authentication method as well.
ChallengeResponseAuthentication no
# This is used to accept any client certificates that was signed by our CA
# It points to the CA public key
TrustedUserCAKeys /path/to/ssh_ca.pub
# The private key and public key-certificate generated in the earlier steps.
# The cert will be sent to the client for identity confirmation.
HostKey /path/to/ssh_host
HostCertificate /path/to/ssh_host-cert.pub
```
with this, you can restart the sshd service with the command `sudo service sshd restart` and you can try connectiong to the machine from another with the client certificate.
If any problem arise, we suggest using the argument `-vvv` with any `ssh` command to see debug messages that might help in case something doesn't work.
## Conclusion
Thank you for paying attention to this guide.
The original guide used to write this page is present [here](https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39) in case you might want to seek further informations or reproduce the exact procedure that was followed to put this in place.
\ No newline at end of file