step-ca
using the step CLI's
ssh
sub-command.step-ca
to issue SSH host & user certificates.sshd
is configured to accept user certificates for client authentication using a CA key.sshd
is configured to present a host certificate for host authentication on the client-side.ssh
to accept host certificate signed by a CA key.ssh
to present a user certificate for authentication on the server-side.step
v0.13.3+ (installation docs)and Vagrant (plus a provider likeVirtualBox) installed locally.ssh
toconnect to a Vagrant VM(representing a remote host) that has sshd
pre-configured to acceptuser certificates signed by our CA.known_hosts
file:step/certs/ssh_host_key.pub
in this repo.testhost
which is why the following entry must be added to thelocal /etc/hosts
file on the VM:sshd
on testhost
, the VMgenerated by Vagrant. Please note that for demo purposes the PKI is shared withthe VM using a shared directory mount. Below you can see the relevant linesfrom the testhost
VM's sshd_config
:testhost
VM. Using thestep
CLI we will authenticate with our SSH-enabled CA and fetch a new SSHcertificate.password
):step-ca
enforces authentication for all certificate requests and usesthe concept ofprovisionersto carry out this enforcement. Provisioners are configured instep/config/ca.json
. Authenticating as one of the sanctioned provisionersindicates to step-ca
that you have the right to provisione newcertificates. In the above invocation of step ssh certificate
we haveauthenticated our request using a JWK provisioner, which simply requires apassword to decrypt a private key. However, there are a handful of supportedprovisioners, each with it's own authentication methods. The OIDC provisioneris particularly interesting for SSH user certificates because it enablesSingle Sign-On SSH.step ssh certificate
adds the new SSH user certificate to yourlocal ssh agent
. The default lifetime of an SSH certificate from step-ca
is4hrs. The lifetime can be configured using command line options (run step ssh certificate -h
for documentation and examples).testhost
VM will welcome you with a matchingtestuser@testhost
prompt.step
CLI reference athttps://smallstep.com/docs/cli/ssh/.--principal
identifies the hostname(s) (ideally FQDNs) for the machine.For a single principal you can short cut the command to:step-ca
step-ca
withboth X509 and SSH certificates using the following command:step-ca
with your own PKI likeso:ssh_host_key.pub
and ssh_user_key.pub
you will have to reconfigure ssh
and sshd
for clients and hosts to acceptthe new CA keys. Check out this host bootstrapping script forconfiguration examples.