🍃
step-ca で ssh証明書を扱う
参考
環境
環境は https://zenn.dev/mnod/articles/1864e73b736569 と同等。
初期化
--ssh
オプションを指定して初期化する
# step ca init --ssh
_ Deployment Type: Standalone
What would you like to name your new PKI?
_ (e.g. Smallstep): test-ca
What DNS names or IP addresses will clients use to reach your CA?
_ (e.g. ca.example.com[,10.1.2.3,etc.]): 127.0.0.1
What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)
_ (e.g. :443 or 127.0.0.1:443): :443
What would you like to name the CA's first provisioner?
_ (e.g. you@smallstep.com): test@example.com
Choose a password for your CA keys and first provisioner.
_ [leave empty and we'll generate one]: _
Generating root certificate... done!
Generating intermediate certificate... done!
Generating user and host SSH certificate signing keys... done!
_ Root certificate: /root/.step/certs/root_ca.crt
_ Root private key: /root/.step/secrets/root_ca_key
_ Root fingerprint: 54b2caf0697f348fc1661f543fc01c4bf54f6227f072c3e77ac476ba8fb19778
_ Intermediate certificate: /root/.step/certs/intermediate_ca.crt
_ Intermediate private key: /root/.step/secrets/intermediate_ca_key
_ SSH user public key: /root/.step/certs/ssh_user_ca_key.pub
_ SSH user private key: /root/.step/secrets/ssh_user_ca_key
_ SSH host public key: /root/.step/certs/ssh_host_ca_key.pub
_ SSH host private key: /root/.step/secrets/ssh_host_ca_key
_ Database folder: /root/.step/db
_ Templates folder: /root/.step/templates
_ Default configuration: /root/.step/config/defaults.json
_ Certificate Authority configuration: /root/.step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
FEEDBACK __ __
The step utility is not instrumented for usage statistics. It does not phone
home. But your feedback is extremely valuable. Any information you can provide
regarding how you_re using `step` helps. Please send us a sentence or two,
good or bad at feedback@smallstep.com or join GitHub Discussions
https://github.com/smallstep/certificates/discussions and our Discord
https://u.step.sm/discord.
起動
step-ca を起動する
# echo password >> ~/.step/config/.incapassword
# chmod 600 ~/.step/config/.incapassword
# step-ca --password-file ~/.step/config/.incapassword ~/.step/config/ca.json
CA公開鍵の出力
以下でCA公開鍵を出力できる
# step ssh config --roots > ca.key.pub.pub
# cat ca.key.pub.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDEGVm5QBkO/yRyYmB4bI7e+4IJRrRqGqP3H+719XJOOJVcuurwZU8F2YZeysoLDIeddw5Jnr4JZ8NZvVHTsubo=
CA公開鍵を ssh サーバへ登録する
# ls -l /etc/ssh/ca.key.pub.pub
-rw-r--r-- 1 root root 161 Dec 27 23:41 /etc/ssh/ca.key.pub.pub
# cat << EOF >> /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/ca.key.pub.pub
EOF
# systemctl restart ssh.service
クライアント証明書の生成
以下で、クライアント用のssh秘密鍵ペアと証明書を生成する
(ssh agent が利用できれば便利らしい)
# step ssh certificate debian@192.168.11.125 id_ecdsa
_ Provisioner: test@example.com (JWK) [kid: 5kDPDXgq7OrqePmDFVKvJ9GRn8qvP1Ixd3uj4W_9ANs]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
Please enter the password to encrypt the private key:
_ Private Key: id_ecdsa
_ Public Key: id_ecdsa.pub
_ Certificate: id_ecdsa-cert.pub
_ SSH Agent: error connecting with ssh-agent: dial unix: missing address
クライアント証明書の内容を確認する
# ls -l id_ecdsa*
-rw------- 1 root root 538 Dec 27 23:44 id_ecdsa
-rw-r--r-- 1 root root 876 Dec 27 23:44 id_ecdsa-cert.pub
-rw-r--r-- 1 root root 183 Dec 27 23:44 id_ecdsa.pub
# cat id_ecdsa-cert.pub
ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgRm5PWkVdQmFLJ2VhTFh4SilcKkRoejlraTY+VXVFIkcAAAAIbmlzdHAyNTYAAABBBMtFQZtnYhabNp4kaIXJDFyVOtcNRiMAXEJVPwKQ9qgNg2y2bupBaM5/Iar0sa0s0FL6d+++iZ1tbrqfHeG1k2YTeTaphuLJ9wAAAAEAAAAVZGViaWFuQDE5Mi4xNjguMTEuMTI1AAAAIwAAAAZkZWJpYW4AAAAVZGViaWFuQDE5Mi4xNjguMTEuMTI1AAAAAGdvO6cAAAAAZ3Ac4wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDEGVm5QBkO/yRyYmB4bI7e+4IJRrRqGqP3H+719XJOOJVcuurwZU8F2YZeysoLDIeddw5Jnr4JZ8NZvVHTsuboAAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAICQDJCiflfl4PvqIGDFrjHtDlu5ccax6vmMjYGrTdE6EAAAAIQDj2fy+soxStp5CQgVluQoGei6zgGNZw4+TIj9d3tA+Rw== debian@192.168.11.125
# cat id_ecdsa-cert.pub | step ssh inspect
-:
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
Public key: ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU
Signing CA: ECDSA SHA256:yaD4MmC/RQNPglllv5F6Exy42za73TgDJyIObLokTe4 (using ecdsa-sha2-nistp256)
Key ID: "debian@192.168.11.125"
Serial: 1403212860643002871
Valid: from 2024-12-27T23:43:35 to 2024-12-28T15:44:35
Principals:
debian
debian@192.168.11.125
Critical Options: (none)
Extensions:
permit-user-rc
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
Signature:
00:00:00:20:24:03:24:28:9f:95:f9:78:3e:fa:88:18:
31:6b:8c:7b:43:96:ee:5c:71:ac:7a:be:63:23:60:6a:
d3:74:4e:84:00:00:00:21:00:e3:d9:fc:be:b2:8c:52:
b6:9e:42:42:05:65:b9:0a:06:7a:2e:b3:80:63:59:c3:
8f:93:22:3f:5d:de:d0:3e:47
ホスト公開鍵へ署名
# ls -l ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 176 Dec 27 23:51 ssh_host_ecdsa_key.pub
# step ssh certificate --host --sign 192.168.11.125 ssh_host_ecdsa_key.pub
_ Provisioner: test@example.com (JWK) [kid: 5kDPDXgq7OrqePmDFVKvJ9GRn8qvP1Ixd3uj4W_9ANs]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
_ Certificate: ssh_host_ecdsa_key-cert.pub
署名された証明書を確認する。
期限が1日なので、自動更新の仕組みを考慮する必要がある。(詳細は参考サイトを参照)
# ls -l ssh_host_ecdsa_key*
-rw-r--r-- 1 root root 661 Dec 27 23:52 ssh_host_ecdsa_key-cert.pub
-rw-r--r-- 1 root root 176 Dec 27 23:51 ssh_host_ecdsa_key.pub
# cat ssh_host_ecdsa_key-cert.pub | step ssh inspect
-:
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com host certificate
Public key: ECDSA-CERT SHA256:VIP7uWbNNlE1AzHT+fTfZCaO4PavHD5/styImJWLk8A
Signing CA: ECDSA SHA256:Z0ZYWAPi4/7Jp0TYC3iK8Bh6RKumdL15BSPUaaH3aGw (using ecdsa-sha2-nistp256)
Key ID: "192.168.11.125"
Serial: 8731224396308700903
Valid: from 2024-12-27T23:51:14 to 2025-01-26T23:52:14
Principals:
192.168.11.125
Critical Options: (none)
Extensions: (none)
Signature:
00:00:00:20:2a:1d:99:6b:4b:fd:ca:19:bc:9b:b2:32:
23:70:89:f6:18:3d:45:08:66:09:01:98:96:7e:c5:d4:
44:e8:22:22:00:00:00:20:75:f8:22:d6:f6:ce:6d:49:
8e:65:6f:4a:40:17:55:72:eb:eb:d1:09:87:fa:8e:65:
b6:21:8a:f5:31:34:06:56
ホスト公開鍵と証明書を ssh サーバへ登録する
# cat <<EOF | sudo tee -a /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
EOF
# systemctl restart ssh.service
ホスト署名公開鍵を出力
# step ssh config --host --roots
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIo8xNcYRcY8POhkFaxkFsXVB0LV1vnNuWnX9xqmIc/wYlMLnrArj3+LlQzbJl/qLanGLTn3s2umG1ZBZ9LUvrM=
これを以下の要領で known_hosts ファイルへ記載する
known_hosts
@cert-authority 192.168.11.125 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIo8xNcYRcY8POhkFaxkFsXVB0LV1vnNuWnX9xqmIc/wYlMLnrArj3+LlQzbJl/qLanGLTn3s2umG1ZBZ9LUvrM=
接続テスト
以下の ssh_config ファイルを作成して利用する
ssh_config
Host 192.168.11.125
HostName 192.168.11.125
User debian
IdentityFile ./id_ecdsa
CertificateFile ./id_ecdsa-cert.pub
UserKnownHostsFile ./known_hosts
$ ssh -F ssh_config -v 192.168.11.125
:
debug1: Server host certificate: ecdsa-sha2-nistp256-cert-v01@openssh.com SHA256:VIP7uWbNNlE1AzHT+fTfZCaO4PavHD5/styImJWLk8A, serial 8731224396308700903 ID "192.168.11.125" CA ecdsa-sha2-nistp256 SHA256:Z0ZYWAPi4/7Jp0TYC3iK8Bh6RKumdL15BSPUaaH3aGw valid from 2024-12-28T08:51:14 to 2025-01-27T08:52:14
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.11.125' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in ./known_hosts:1
:
debug1: Will attempt key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
debug1: Will attempt key: ./id_ecdsa ECDSA SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
:
debug1: Offering public key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
debug1: Server accepts key: ./id_ecdsa-cert.pub ECDSA-CERT SHA256:gPAYnAg8E6kXBKKxmaVGI3NIN+gMP+xZvWuvpsu6psU explicit
Enter passphrase for key './id_ecdsa':
:
Discussion