SSH Certificate Authority (CA)

What?

  • OpenSSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote computer, and to move files from one computer to another. It provides strong authentication and secure communications over insecure channels.
  • OpenSSH uses cryptography to secure connections. Every computer with openssh-server installed has its own unique host key that identifies this computer.
  • When a ssh client initiates a connection to a previously unknown server, it will display the host keys fingerprint for confirmation. The user is supposed to recognize this fingerprint through other means and certify that this fingerprint matches the server he wants to login.
  • The client will store the host key fingerprint of the server in its known_hosts file. On consequtive logins the client will therefore not ask again if the fingerprint of the server has not changed. If the fingerprint has changed, it will display a warning.
  • Rather than handling the fingerprint of the server host key itself, OpenSSH can use a signature on the key instead. As long as this signature is valid and matching a previously configured public key stored on the client, the client will trust the server and neither ask the user to confirm the fingerprint on the first connection nor ask the user to confirm the fingerprint when the host key has changed. This removes the cumbersome maintenance of known_hosts files on the client side.

Who?

  • An OpenSSH Certificate Authority is maintained by the ITS Linux System Administration at </servers/ssh.bfh.ch/index> and is used to sign all Linux OpenSSH host keys.
  • At this point, the OpenSSH Certificate Authority can be used by any BFH staff member.
  • We might or might not include students and guests in the future.

How?

  • The current OpenSSH Certificate Authority certificate is included below, see our OpenSSH documentation for more information.
  • Signing of host keys is restricted to OpenSSH host keys (RSA algorith) only, see our OpenSSH documentation for more information.
  • System Administrators running a server in a BFH network can submit their public host keys via the Servicedesk for signing.

BFH OpenSSH Certificate Authorities

Global Installation (requires root permissions)

cat >> /etc/ssh/ssh_known_hosts << EOF
# ITS Linux System Administration: SSH CA Key 2014-1
@cert-authority *.bfh.ch ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUNkH3WmxcU+adqwaLNYRncb6c34V4kk01pD4+1YRwRhcFckZToxfnMrsBE8YN28VbqEHAJJkYRhkqjevXeJm8EESDTY0/BI+RPqzeCakdLBMKq1PZhTu8iaGQxoldPsbdEgkGpb4zI2zrL7sJoCGZqqf1jdfcmEFZ4E51aHwXOUAUj1XQhKTcDxZZrB27qamwuOrQMrBrkIBXfR/2wxt4r1c1Q21UcU+Gw3LPH2Hr17jIxMZ0XbbKMjNjm2F12e2OdqmrslXtiIbZ8D7tcrzSJ68AfIePLTq1GRC21ivHVKGmgWdJBf0Kn3a/MdnW+XaQvc2z1OWpm0bxYRr4BbNrHTSu8I6vCgEmRWubPvBofHL0UP6j1QwLWMdsG6Z8+LOTyZekj0+vC95FQC1tMoGaODvpigSlXj/NNMgKMuZJD+vGo0GUXldPOnacS3uVDjTSkJ6iKJT6SZxtxB6CWXcBvBdpxZn6xCPBIL+jSPmcB1SEDGuj5DhAEfe3+Q/bswksPrFHbJn/8JuE3yfnV0/grLQirVU8zPWIDURhEhpiS2NdIMhlGRLs6GBDKO8CdULsYOy/+cTpr32xfdyyS3qjDqyfYfvQOyXEAVOBhViAjPeqZf8F45gP8D/n33gAzN9FKhRVuawolU0VpE1uzjN0lvoiE1TN4WNxjCMhb848Aw== its-linux-sysadmin@lists.bfh.ch
EOF

User Installation (requires no root permissions)

mv ~/.ssh/known_hosts ~/.ssh/known_hosts.tmp

cat > ~/.ssh/known_hosts << EOF
# ITS Linux System Administration: SSH CA Key 2014-1
@cert-authority *.bfh.ch ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUNkH3WmxcU+adqwaLNYRncb6c34V4kk01pD4+1YRwRhcFckZToxfnMrsBE8YN28VbqEHAJJkYRhkqjevXeJm8EESDTY0/BI+RPqzeCakdLBMKq1PZhTu8iaGQxoldPsbdEgkGpb4zI2zrL7sJoCGZqqf1jdfcmEFZ4E51aHwXOUAUj1XQhKTcDxZZrB27qamwuOrQMrBrkIBXfR/2wxt4r1c1Q21UcU+Gw3LPH2Hr17jIxMZ0XbbKMjNjm2F12e2OdqmrslXtiIbZ8D7tcrzSJ68AfIePLTq1GRC21ivHVKGmgWdJBf0Kn3a/MdnW+XaQvc2z1OWpm0bxYRr4BbNrHTSu8I6vCgEmRWubPvBofHL0UP6j1QwLWMdsG6Z8+LOTyZekj0+vC95FQC1tMoGaODvpigSlXj/NNMgKMuZJD+vGo0GUXldPOnacS3uVDjTSkJ6iKJT6SZxtxB6CWXcBvBdpxZn6xCPBIL+jSPmcB1SEDGuj5DhAEfe3+Q/bswksPrFHbJn/8JuE3yfnV0/grLQirVU8zPWIDURhEhpiS2NdIMhlGRLs6GBDKO8CdULsYOy/+cTpr32xfdyyS3qjDqyfYfvQOyXEAVOBhViAjPeqZf8F45gP8D/n33gAzN9FKhRVuawolU0VpE1uzjN0lvoiE1TN4WNxjCMhb848Aw== its-linux-sysadmin@lists.bfh.ch
EOF

cat ~/.ssh/known_hosts.tmp << ~/.ssh/known_hosts
rm -f ~/.ssh/known_hosts.tmp

Notes

  • It is important to list CA keys first as openssh processes the known_hosts file based on a first-match-wins rule.
  • Windows User find their ~/.ssh/known_hosts in .ssh/known_hosts relative to their home directory.
  • BFH Linux Desktops and Servers (using openssh) as well as BFH Windows Clients (using putty or git) already contain the necessary global configuration.