🍃

step-ca で ssh証明書を扱う

2024/12/29に公開

参考

https://smallstep.com/docs/step-ca/basic-certificate-authority-operations/

環境

環境は https://zenn.dev/mnod/articles/1864e73b736569 と同等。

初期化

--ssh オプションを指定して初期化する

# step ca init --ssh
_ Deployment Type: Standalone
What would you like to name your new PKI?
_ (e.g. Smallstep): test-ca
What DNS names or IP addresses will clients use to reach your CA?
_ (e.g. ca.example.com[,10.1.2.3,etc.]): 127.0.0.1
What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)
_ (e.g. :443 or 127.0.0.1:443): :443
What would you like to name the CA's first provisioner?
_ (e.g. you@smallstep.com): test@example.com
Choose a password for your CA keys and first provisioner.
_ [leave empty and we'll generate one]: _

Generating root certificate... done!
Generating intermediate certificate... done!
Generating user and host SSH certificate signing keys... done!

_ Root certificate: /root/.step/certs/root_ca.crt
_ Root private key: /root/.step/secrets/root_ca_key
_ Root fingerprint: 54b2caf0697f348fc1661f543fc01c4bf54f6227f072c3e77ac476ba8fb19778
_ Intermediate certificate: /root/.step/certs/intermediate_ca.crt
_ Intermediate private key: /root/.step/secrets/intermediate_ca_key
_ SSH user public key: /root/.step/certs/ssh_user_ca_key.pub
_ SSH user private key: /root/.step/secrets/ssh_user_ca_key
_ SSH host public key: /root/.step/certs/ssh_host_ca_key.pub
_ SSH host private key: /root/.step/secrets/ssh_host_ca_key
_ Database folder: /root/.step/db
_ Templates folder: /root/.step/templates
_ Default configuration: /root/.step/config/defaults.json
_ Certificate Authority configuration: /root/.step/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

FEEDBACK __ __
  The step utility is not instrumented for usage statistics. It does not phone
  home. But your feedback is extremely valuable. Any information you can provide
  regarding how you_re using `step` helps. Please send us a sentence or two,
  good or bad at feedback@smallstep.com or join GitHub Discussions
  https://github.com/smallstep/certificates/discussions and our Discord
  https://u.step.sm/discord.

起動

step-ca を起動する

# echo password >> ~/.step/config/.incapassword
# chmod 600 ~/.step/config/.incapassword

# step-ca --password-file ~/.step/config/.incapassword ~/.step/config/ca.json

CA公開鍵の出力

以下でCA公開鍵を出力できる

# step ssh config --roots > ca.key.pub.pub

# cat ca.key.pub.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDEGVm5QBkO/yRyYmB4bI7e+4IJRrRqGqP3H+719XJOOJVcuurwZU8F2YZeysoLDIeddw5Jnr4JZ8NZvVHTsubo=

CA公開鍵を ssh サーバへ登録する

# ls -l /etc/ssh/ca.key.pub.pub
-rw-r--r-- 1 root root 161 Dec 27 23:41 /etc/ssh/ca.key.pub.pub

# cat << EOF >> /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/ca.key.pub.pub
EOF

# systemctl restart ssh.service

クライアント証明書の生成

以下で、クライアント用のssh秘密鍵ペアと証明書を生成する
(ssh agent が利用できれば便利らしい)

# step ssh certificate debian@192.168.11.125 id_ecdsa
_ Provisioner: test@example.com (JWK) [kid: 5kDPDXgq7OrqePmDFVKvJ9GRn8qvP1Ixd3uj4W_9ANs]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
Please enter the password to encrypt the private key:
_ Private Key: id_ecdsa
_ Public Key: id_ecdsa.pub
_ Certificate: id_ecdsa-cert.pub
_ SSH Agent: error connecting with ssh-agent: dial unix: missing address

クライアント証明書の内容を確認する

# ls -l id_ecdsa*
-rw-------    1 root     root           538 Dec 27 23:44 id_ecdsa
-rw-r--r--    1 root     root           876 Dec 27 23:44 id_ecdsa-cert.pub
-rw-r--r--    1 root     root           183 Dec 27 23:44 id_ecdsa.pub
# cat id_ecdsa-cert.pub
ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgRm5PWkVdQmFLJ2VhTFh4SilcKkRoejlraTY+VXVFIkcAAAAIbmlzdHAyNTYAAABBBMtFQZtnYhabNp4kaIXJDFyVOtcNRiMAXEJVPwKQ9qgNg2y2bupBaM5/Iar0sa0s0FL6d+++iZ1tbrqfHeG1k2YTeTaphuLJ9wAAAAEAAAAVZGViaWFuQDE5Mi4xNjguMTEuMTI1AAAAIwAAAAZkZWJpYW4AAAAVZGViaWFuQDE5Mi4xNjguMTEuMTI1AAAAAGdvO6cAAAAAZ3Ac4wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDEGVm5QBkO/yRyYmB4bI7e+4IJRrRqGqP3H+719XJOOJVcuurwZU8F2YZeysoLDIeddw5Jnr4JZ8NZvVHTsuboAAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAICQDJCiflfl4PvqIGDFrjHtDlu5ccax6vmMjYGrTdE6EAAAAIQDj2fy+soxStp5CQgVluQoGei6zgGNZw4+TIj9d3tA+Rw== debian@192.168.11.125

# cat id_ecdsa-cert.pub | step ssh inspect
-:
        Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
        Public key: ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU
        Signing CA: ECDSA SHA256:yaD4MmC/RQNPglllv5F6Exy42za73TgDJyIObLokTe4 (using ecdsa-sha2-nistp256)
        Key ID: "debian@192.168.11.125"
        Serial: 1403212860643002871
        Valid: from 2024-12-27T23:43:35 to 2024-12-28T15:44:35
        Principals:
                debian
                debian@192.168.11.125
        Critical Options: (none)
        Extensions:
                permit-user-rc
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
        Signature:
                00:00:00:20:24:03:24:28:9f:95:f9:78:3e:fa:88:18:
                31:6b:8c:7b:43:96:ee:5c:71:ac:7a:be:63:23:60:6a:
                d3:74:4e:84:00:00:00:21:00:e3:d9:fc:be:b2:8c:52:
                b6:9e:42:42:05:65:b9:0a:06:7a:2e:b3:80:63:59:c3:
                8f:93:22:3f:5d:de:d0:3e:47

ホスト公開鍵へ署名

# ls -l ssh_host_ecdsa_key.pub
-rw-r--r--    1 root     root           176 Dec 27 23:51 ssh_host_ecdsa_key.pub

# step ssh certificate --host --sign 192.168.11.125 ssh_host_ecdsa_key.pub
_ Provisioner: test@example.com (JWK) [kid: 5kDPDXgq7OrqePmDFVKvJ9GRn8qvP1Ixd3uj4W_9ANs]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
_ Certificate: ssh_host_ecdsa_key-cert.pub

署名された証明書を確認する。
期限が1日なので、自動更新の仕組みを考慮する必要がある。(詳細は参考サイトを参照)

# ls -l ssh_host_ecdsa_key*
-rw-r--r--    1 root     root           661 Dec 27 23:52 ssh_host_ecdsa_key-cert.pub
-rw-r--r--    1 root     root           176 Dec 27 23:51 ssh_host_ecdsa_key.pub

# cat ssh_host_ecdsa_key-cert.pub | step ssh inspect
-:
        Type: ecdsa-sha2-nistp256-cert-v01@openssh.com host certificate
        Public key: ECDSA-CERT SHA256:VIP7uWbNNlE1AzHT+fTfZCaO4PavHD5/styImJWLk8A
        Signing CA: ECDSA SHA256:Z0ZYWAPi4/7Jp0TYC3iK8Bh6RKumdL15BSPUaaH3aGw (using ecdsa-sha2-nistp256)
        Key ID: "192.168.11.125"
        Serial: 8731224396308700903
        Valid: from 2024-12-27T23:51:14 to 2025-01-26T23:52:14
        Principals:
                192.168.11.125
        Critical Options: (none)
        Extensions: (none)
        Signature:
                00:00:00:20:2a:1d:99:6b:4b:fd:ca:19:bc:9b:b2:32:
                23:70:89:f6:18:3d:45:08:66:09:01:98:96:7e:c5:d4:
                44:e8:22:22:00:00:00:20:75:f8:22:d6:f6:ce:6d:49:
                8e:65:6f:4a:40:17:55:72:eb:eb:d1:09:87:fa:8e:65:
                b6:21:8a:f5:31:34:06:56

ホスト公開鍵と証明書を ssh サーバへ登録する

# cat <<EOF | sudo tee -a /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
EOF

# systemctl restart ssh.service

ホスト署名公開鍵を出力

# step ssh config --host --roots
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIo8xNcYRcY8POhkFaxkFsXVB0LV1vnNuWnX9xqmIc/wYlMLnrArj3+LlQzbJl/qLanGLTn3s2umG1ZBZ9LUvrM=

これを以下の要領で known_hosts ファイルへ記載する

known_hosts
@cert-authority 192.168.11.125 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIo8xNcYRcY8POhkFaxkFsXVB0LV1vnNuWnX9xqmIc/wYlMLnrArj3+LlQzbJl/qLanGLTn3s2umG1ZBZ9LUvrM=

接続テスト

以下の ssh_config ファイルを作成して利用する

ssh_config
Host 192.168.11.125
    HostName 192.168.11.125
    User debian
    IdentityFile ./id_ecdsa
    CertificateFile ./id_ecdsa-cert.pub
    UserKnownHostsFile ./known_hosts
$ ssh -F ssh_config -v 192.168.11.125
:
debug1: Server host certificate: ecdsa-sha2-nistp256-cert-v01@openssh.com SHA256:VIP7uWbNNlE1AzHT+fTfZCaO4PavHD5/styImJWLk8A, serial 8731224396308700903 ID "192.168.11.125" CA ecdsa-sha2-nistp256 SHA256:Z0ZYWAPi4/7Jp0TYC3iK8Bh6RKumdL15BSPUaaH3aGw valid from 2024-12-28T08:51:14 to 2025-01-27T08:52:14
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.11.125' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in ./known_hosts:1
:
debug1: Will attempt key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
debug1: Will attempt key: ./id_ecdsa ECDSA SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
:
debug1: Offering public key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
debug1: Server accepts key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
Enter passphrase for key './id_ecdsa':
:

GitHubで編集を提案

Discussion