When it comes to authentication for SSH, certificate-based authentication provides a high level of security and convenience. However, it could be less intuitive compared to key/password-based authentication and requires more initial setup. In this article, I will demonstrate how to leverage open-source tools to integrate Single Sign on into SSH authentication workflow and improve scalability while reducing setup complexity.
How certificate based authentication works:
Certificate-based authentication for SSH works by using public-key cryptography to authenticate users. A certificate authority (CA) generates a certificate containing a user’s public key and personal information, which is then signed by the CA’s private key. The user then presents the certificate to the server during the authentication process. The server verifies the certificate by checking if it was signed by a trusted CA and if the user’s public key matches the private keystored on the user’s system. Once verified, the user is granted access to the server.
Step CLI and step-ca
Step is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows. Step acts as a front-end interface to Certificate Manager and step-ca.
Step-ca is an online Certificate Authority (CA) for secure, automated X.509 and SSH certificate management. It’s the server counterpart to step CLI. It is secured with TLS, and it offers several configurable certificate provisioners such as OAUTH OIDC Single sign on.
You can find out more at their official site: https://smallstep.com
Demo setup:
Scripts can be found at:
http://gist.github.com/tashian/244fc69ccb7ceec433c7811e91cbf0b7
https://gist.github.com/tashian/fde43668cbf6e3227fb13ef51db650b8
Google Cloud Platform:
· Setup domain and create users on GCP.
· Create OAuth consent screen.
· Get OAuth credentials:
o Client ID, Client Secret
AWS ec2:
· Start two Ubuntu ec2 instances (CA server and Host server.)
· Assign both instances to a security group with SSH and HTTPS allowed.
· Create a client instance or use local machine as client.
On CA server:
· Run the init_aws_ca.sh script as root
· Get CA fingerprint:
o cd /etc/step-ca/certs
o step certificate fingerprint root_ca.crt
On Host:
· Create user accounts:
o adduser –quiet –disabled-password –gecos ‘’ <username>
· Run the init_aws_ssh_host.sh script as root
On Client:
· Install step cli and set to PATH:
o https://smallstep.com/docs/step-cli/installation
· Boot strap CA (connect and trust our CA server):
o export CA_URL=”<https url of CA>”
o export CA_FINGERPRINT=”<CA fingerprint>”
o step ca bootstrap –ca-url $CA_URL –fingerprint$CA_FINGERPRINT
· step ssh login (Login via SSO)
o Certificate expires in 16 hours
· step ssh host (List available hosts)
· ssh username@host (connect to hosts)