Using the OpenSSH CA (Certificate Authority) in Xshell

Overview

(If you only want the quick step-by-steps, scroll down to Basic Step-by-Step Guide near the bottom of this article)

For public key authentication the public user key must be registered on the server you want to connect to and also to the user. This approach can be considered inefficient, and it can also be a burden to the server administrator. Thus, using a public key authenticated via a Certificate Authority (CA) can be a superior solution. OpenSSH provides simple certificate generation and an associated CA infrastructure. Xshell can utilize OpenSSH CAs to connect to remote UNIX/Linux servers. The following guide will show how you can use the CA feature of OpenSSH in Xshell.

If you use an authenticated key, even if the SSH server's host key changes, if the corresponding host key is signed, the key will be recognized as the host key of the same server in the SSH client. This is useful if you need to make frequent changes to the host key. Also, it grants the server administrator the ability to set and manage expiration dates of private keys as well as the ability to revoke private keys used by users outright. Users can connect to the server only with public keys authenticated by the authentication server.

IMPORTANT: To use this feature in Version 6, the OpenSSH Certificate Authority option must be enabled in Help => Experimental Features.

Host Key Authentication

Creating a Signing Key①

  1. Run the following command on the certificate creation server. Create a password when prompted. You will need to enter this password to authenticate the key later.

     $ ssh-keygen -f server_ca

    Generating public/private rsa key pair.

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in server_ca.

    Your public key has been saved in server_ca.pub.

    The key fingerprint is:

    SHA256:wkoynUi5rXkMQXcNrpFmOWh+JbONIOCxeWv8WOxUbm4 root@uby

    The key's randomart image is:

    +---[RSA 2048]----+

    |... . oo                   |

    |o.++ =  .                |

    |.+B.X o.                 |

    | =oXo&o                |

    |  B+X++oS            |

    |  .X*.o.                   |

    |  o.+o E                 |

    |   . .                        |

    |                              |

    +----[SHA256]-----+

    In our example, we created an rsa server_ca key to be used for authentication. If you'd like to use a non-rsa formatted key, use the -t option to specify the desired key format.

  2. Confirm that the authentication key pair has been created.

    $ ls
    server_ca server_ca.pub

Signing the Host Key

If the host key to be signed is not from the authentication server, use the scp command to bring the host key from the appropriate server. Keep in mind that only root has read access to the SSH server host key.

  1. Get the remote server's host key to be signed②:

    # scp root@host.netsarang.com:/etc/ssh/ssh_host_rsa_key.pub .

  2. Use the Signing Key to sign the host key:

    # ssh-keygen -s server_ca -I key_id -h -n host.netsarang.com -V +52w ssh_host_rsa_key.pub
    Signed host key ssh_host_rsa_key-cert.pub: id "key_id" serial 0 for host.netsarang.com...

    Option Explanations

    • s: Name of the Signing Key.

    • I: Name used for logging purposes.

    • h: Indicates that what you are signing is a host key.

    • n: Name of the SSH server that will use the Signing Host Key. You can use commas to list multiple servers. SSH clients must utilize one of these names. If this value is omitted, then you can use it on any SSH server.

    • V: Certificate validity period. The example above has specified 52 weeks (1 year).

  3. Copy the signed host key of the remote server to the applicable remote server③. The location in which it's saved must be specified in the sshd_config:

    # scp ssh_host_rsa_key-cert.pub root@host.netsarang.com:/etc/ssh/

  4. Once the steps above are completed, the host key and the authenticated host key which were copied over are no longer needed. You can delete them:

    # rm ssh_host_rsa_key.pub ssh_host_rsa_key-cert.pub

Configuring the Signed Host Key

Required SSH Server Settings

  1. Edit the following file on the SSH server. You must have root privileges:

    # vi /etc/ssh/sshd_config

  2. Locate the HostCertificate line (if it does not exist, create it) and enter the name of the signed host key created in the step above④. An authenticated host key file is a host key file which was first authenticated on an authentication server and then copied over.

    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

  3. After saving, use the following command to restart the SSH Daemon.

    # service ssh restart

Required Xshell Settings

  1. Use Notepad, etc. to create a ca_keys file where you stored the host key information

  2. Copy the contents of the authentication file Signing Public Key (server_ca.pub) from the authentication server.

    # cat ~/server_ca.pub
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxC+gikReZlWEnZhKkGzhcNeRD3dKh0L1opw4/LQJcUPfRj07E3am
    bJfKhX/G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyY
    voMYordMbIx8UVxtcTR5AeWZMAXJM6GdIyRkKxH0/Zm1r9tsVPraaMOsKc
    +8isjJilwiQAhxdWVqvojPmX
    WE6V1R4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5dSl root@auth

  3. Add the above copied contents to the ca_keys file⑤. Now, add @cert-authority and domain restriction information in front of the public key information and then save the file.

    @cert-authority *.netsarang.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxC+gikReZlWEnZhKkGzhcNeRD3dKh0L1opw4/LQJcUPfRj07E3am
    bJfKhX/G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyY
    voMYordMbIx8UVxtcTR5AeWZMAXJM6GdIyRkKxH0/Zm1r9tsVPraaMOsKc
    +8isjJilwiQAhxdWVqvojPmXWE6V1R
    4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5dSl root@auth

  4. Confirm⑥.
    When the host key is not authenticated and there is no information regarding the applicable host, you should see:

    When the host key is authenticated:
    The above prompt will not appear and the user authentication process proceeds immediately.

User Key Authentication

Creating a Signing Key①

In order to sign the user keys in the authentication server, we need to first create a Signing Key set:

# ssh-keygen -f users_ca
# ls users_ca*
users_ca users_ca.pub

Create a password when prompted. You will need this password when using this key to sign other keys.
In our example, we created an rsa server_ca key to be used for authentication. If you'd like to use a non-rsa formatted key, use the -t option to specify the desired key format.

SSH Server Settings

  1. From the Signing Key set we created in the authentication server above, copy the public key to the SSH server②. You must have root privileges for the SSH server.

    # scp users_ca.pub root@host.netsarang.com:/etc/ssh/

  2. In the SSH server, modify the SSH daemon config file, sshd_config. You must have root privileges:

    # vi /etc/ssh/sshd_config

  3. Add the following information under the HostCertificate line that you applied during host authentication③. The users_ca.pub file is the file you copied over in Step 1.

    TrustedUserCAKeys /etc/ssh/users_ca.pub

  4. Restart the SSH service daemon.

    # service ssh restart

User Key Signature

  1. Create a key pair to be signed in Xshell's New User Key Wizard④.




    During the process of creating a user key, the public key is stored as a separate file. The public key can be verified at any time using Xshell's User Key Manager.


  2. Copy over the public key you saved above to the signing server⑤. Remember, the required file is the public key file, id_rsa_2048.pub, not the private key file, id_rsa_2048.

  3. Use the users_ca file to sign the key. The process is similar to signing a host key, but since this is a user key, you won't use the -h parameter. In the command below, the "username1,username2" after the -n parameter are SSH server's usernames. You can list the usernames you want to use when connecting with the signed key. Unlike the host key signing process, if you leave this value blank, you will not be able to login as any user on the SSH server with the above user keys. This value must be specified.

    $ ssh-keygen -s users_ca -I key_id -n username1,username2,... -V +52w id_rsa_2048.pub
    Enter passphrase:
    Signed user key id_rsa_2048-cert.pub: id "key_id" serial 0 for username1,username2,... valid from 2019-01-31T09:23:00 to 2020-01-30T09:24:30
    $ ls id_rsa*
    id_rsa_2048-cert.pub id_rsa_2048.pub

    When prompted to enter the password, enter the password you created when creating the users_ca file. Confirm that a signed file, id_rsa_2048-cert.pub, has been created.

  4. Copy the signed id_rsa_2048-cert.pub file to the Xshell UserKeys folder where the id_rsa_2048.pub file was located⑥:

    Alternatively, after downloading the signed file to your PC, you can simply drag and drop it into Xshell's Local Shell and it will automatically be copied into the above folder.

  5. Confirm
    Confirm that the user you want logging into the SSH server does not have public key information:

    $ hostname
    host
    $ id
    uid=1001(username1) gid=1001(username1) groups=1001(username1)
    $ cat ~/.ssh/authorized_keys => Nothing about the public key.
    $

    From Xshell, make an SSH connection to the SSH server.


    If the user key is not authenticated, you will see:

    If the user key is authenticated:
    Even if the public key was not registered on the SSH server, you can still login by entering the key password of the SSH client's private key (id_rsa_2048). Connections made by the users (username1,username2,...) entered after the -n parameter when signing the public key can login without registering the public key.

Basic Step-by-Step Guide

Host Authentication

  1. Create the Signing Key in the CA server①

    $ ssh-keygen -f server_ca

  2. Transfer the SSH server's host key to be signed to the CA server②:

    # scp root@host.netsarang.com:/etc/ssh/ssh_host_rsa_key.pub .

  3. Use in the Signing Key in the CA server to sign the host key:

    # ssh-keygen -s server_ca -I key_id -h -n host.netsarang.com -V +52w ssh_host_rsa_key.pub

  4. Copy the signed host key of the remote server to the applicable remote server③:

    # scp ssh_host_rsa_key-cert.pub root@centy.netsarang.com:/etc/ssh/

    Required SSH Server Settings

  5. Specify the signed host key in the sshd_config's HostCertificate line④:

    HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

  6. After saving, use the following command to restart the SSH Daemon.

    # service ssh restart

    Required Xshell Settings

  7. Use Notepad, etc. to create a ca_keys file where you stored the host key information.

  8. Copy the contents of the authentication file Signing Public Key (server_ca.pub) from the authentication server and paste it into the ca_keys file⑤. Now, add @cert-authority and domain restriction information in front of the public key information and then save the file.

    @cert-authority *.netsarang.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxC+gikReZlWEnZhKkGzhcNeRD3dKh0L1opw4/LQJcUPfRj07E3ambJ
    fKhX/G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyYvoMY
    ordMbIx8UVxtcTR5AeWZMAXJM6GdIyRkKxH0/Zm1r9tsVPraaMOsKc
    +8isjJilwiQAhxdWVqvojPmXWE6V1R
    4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4S
    NCfv4j7DolKZ+KcQLbAfwybVr3Jy5dSl root@auth

User Key Authentication

  1. *Create the Signing Key①:*

    # ssh-keygen -f users_ca

  2. From the Signing Key set we created in the authentication server above, copy the public key to the SSH server②:

    # scp users_ca.pub root@host.netsarang.com:/etc/ssh/

  3. In the SSH server, modify the SSH daemon config file, sshd_config. Specify the users_ca.pub file for TrustedUserCAKeys:

    TrustedUserCAKeys /etc/ssh/users_ca.pub

  4. Restart the SSH service daemon:

    # service ssh restart

    User Key Signature

  5. Create a key pair to be signed in Xshell's New User Key Wizard and save the public key to a file④.
  6. Copy over the public key you saved above to the CA server⑤.

  7. Use the users_ca file to sign the key.

    $ ssh-keygen -s users_ca -I key_id -n username1,username2,... -V +52w id_rsa_2048.pub

  8. Copy the signed id_rsa_2048-cert.pub file to the Xshell UserKeys folder⑥:


  9. From Xshell, use the id_rsa_2048 key to make an SSH connection to the SSH server utilizing public key authentication.