Overview

(If you only want the quick step-by-steps, scroll down to Basic Step-by-Step Guide near the bottom of this article)

For public key authentication the public user key must be registered on the server you want to connect to and also to the user. This approach can be considered inefficient, and it can also be a burden to the server administrator. Thus, using a public key authenticated via a Certificate Authority (CA) can be a superior solution. OpenSSH provides simple certificate generation and an associated CA infrastructure. Xshell can utilize OpenSSH CAs to connect to remote UNIX/Linux servers. The following guide will show how you can use the CA feature of OpenSSH in Xshell.

If you use an authenticated key, even if the SSH server's host key changes, if the corresponding host key is signed, the key will be recognized as the host key of the same server in the SSH client. This is useful if you need to make frequent changes to the host key. Also, it grants the server administrator the ability to set and manage expiration dates of private keys as well as the ability to revoke private keys used by users outright. Users can connect to the server only with public keys authenticated by the authentication server.

IMPORTANT: To use this feature in Version 6, the OpenSSH Certificate Authority option must be enabled in Help => Experimental Features.

Host Key Authentication

Open

Creating a Signing Key①

1. Run the following command on the certificate creation server. Create a password when prompted. You will need to enter this password to authenticate the key later.

   In our example, we created an rsa server_ca key to be used for authentication. If you'd like to use a non-rsa formatted key, use the -t option to specify the desired key format.
   
   
   

2. Confirm that the authentication key pair has been created.

Signing the Host Key

If the host key to be signed is not from the authentication server, use the scp command to bring the host key from the appropriate server. Keep in mind that only root has read access to the SSH server host key.

1. Get the remote server's host key to be signed②:

2. Use the Signing Key to sign the host key:

   Option Explanations

   • s: Name of the Signing Key.

   • I: Name used for logging purposes.

   • h: Indicates that what you are signing is a host key.

   • n: Name of the SSH server that will use the Signing Host Key. You can use commas to list multiple servers. SSH clients must utilize one of these names. If this value is omitted, then you can use it on any SSH server.

   • V: Certificate validity period. The example above has specified 52 weeks (1 year).

3. Copy the signed host key of the remote server to the applicable remote server③. The location in which it's saved must be specified in the sshd_config:

4. Once the steps above are completed, the host key and the authenticated host key which were copied over are no longer needed. You can delete them:

Configuring the Signed Host Key

Required SSH Server Settings

1. Edit the following file on the SSH server. You must have root privileges:

2. Locate the HostCertificate line (if it does not exist, create it) and enter the name of the signed host key created in the step above④. An authenticated host key file is a host key file which was first authenticated on an authentication server and then copied over.

3. After saving, use the following command to restart the SSH Daemon.

Required Xshell Settings

1. Use Notepad, etc. to create a ca_keys file where you stored the host key information
   
   
   

2. Copy the contents of the authentication file Signing Public Key (server_ca.pub) from the authentication server.

3. Add the above copied contents to the ca_keys file⑤. Now, add @cert-authority and domain restriction information in front of the public key information and then save the file.

4. Confirm⑥.
   When the host key is not authenticated and there is no information regarding the applicable host, you should see:
   
   

   Open

   
   
   When the host key is authenticated:
   The above prompt will not appear and the user authentication process proceeds immediately.

User Key Authentication

Open

Creating a Signing Key①

In order to sign the user keys in the authentication server, we need to first create a Signing Key set:

Create a password when prompted. You will need this password when using this key to sign other keys.
In our example, we created an rsa server_ca key to be used for authentication. If you'd like to use a non-rsa formatted key, use the -t option to specify the desired key format.

SSH Server Settings

1. From the Signing Key set we created in the authentication server above, copy the public key to the SSH server②. You must have root privileges for the SSH server.

2. In the SSH server, modify the SSH daemon config file, sshd_config. You must have root privileges:

3. Add the following information under the HostCertificate line that you applied during host authentication③. The users_ca.pub file is the file you copied over in Step 1.

4. Restart the SSH service daemon.

User Key Signature

1. Create a key pair to be signed in Xshell's New User Key Wizard④.
   
   

   Open

   

   
   
   

   Open

   

   
   
   

   Open

   

   
   
   

   Open

   

   
   During the process of creating a user key, the public key is stored as a separate file. The public key can be verified at any time using Xshell's User Key Manager.
   
   

   Open

   

   
   
   

   Open

   

2. Copy over the public key you saved above to the signing server⑤. Remember, the required file is the public key file, id_rsa_2048.pub, not the private key file, id_rsa_2048.
   
   
   

3. Use the users_ca file to sign the key. The process is similar to signing a host key, but since this is a user key, you won't use the -h parameter. In the command below, the "username1,username2" after the -n parameter are SSH server's usernames. You can list the usernames you want to use when connecting with the signed key. Unlike the host key signing process, if you leave this value blank, you will not be able to login as any user on the SSH server with the above user keys. This value must be specified.

   When prompted to enter the password, enter the password you created when creating the users_ca file. Confirm that a signed file, id_rsa_2048-cert.pub, has been created.
   
   
   

4. Copy the signed id_rsa_2048-cert.pub file to the Xshell UserKeys folder where the id_rsa_2048.pub file was located⑥:
   
   

   Open

   

   
   Alternatively, after downloading the signed file to your PC, you can simply drag and drop it into Xshell's Local Shell and it will automatically be copied into the above folder.
   
   
   

5. Confirm
   Confirm that the user you want logging into the SSH server does not have public key information:

   From Xshell, make an SSH connection to the SSH server.
   

   
   
   
   If the user key is not authenticated, you will see:
   
   
   If the user key is authenticated:
   Even if the public key was not registered on the SSH server, you can still login by entering the key password of the SSH client's private key (id_rsa_2048). Connections made by the users (username1,username2,...) entered after the -n parameter when signing the public key can login without registering the public key.