Close
logodocs

SSH Certificate Auth

Switching to SSH certificate authentication frees you from the burden of managing unique key pairs for each of your servers. By using a certificate authority managed by strongDM, every connection is secured with a short-lived private/public key pair. This eliminates the risk of lost keys being compromised.

Review strongDM CA Public Key

Every organization in strongDM is automatically assigned a unique CA (certificate authority). This is a cryptographic key pair in charge of issuing and validating certificates for every SSH session. You will need to add the CA's public key as a trusted source on any hosts you want to access with this option.

The CA public key can be seen under Settings > SSH

Public Key
Public Key

Only 1 active CA is permitted per organization. If the CA is rotated, all SSH sessions using the existing CA will be terminated. Please rotate with caution.

Adding the strongDM CA to your hosts

Next we will let your host know to trust certificates issued by your organization's CA.

  1. Create a file named /etc/ssh/sdm_ca.pub and add the CA public key shown in the previous section.
  2. With your editor of choice modify /etc/ssh/sshd_config by appending the following lines.
    # strongDM CA
    TrustedUserCAKeys /etc/ssh/sdm_ca.pub
  3. Restart the SSH service on this host for the changes to take effect. The command may differ based on your system configuration, but here is an example:
    sudo systemctl restart ssh

Restricting access by username

Because the certificates generated by the CA use the datasource settings, anyone with access to modify these settings can change the username and thus elevate their privileges. This would allow them to assume root or any existing account on the target system. Of course, any actions will be logged by strongDM. However, we still strongly recommend disabling SSH access for the root account entirely.

Additionally, you can restrict what users or principals are allowed to authenticate with the CA. Every certificate created by the strongDM CA contains two principals: the username specified in the datasource settings and the literal string "strongdm". You can use the following steps to restrict access to only this user, replacing user-one with your desired username.

  1. Create a folder to contain the user files.
    mkdir /etc/ssh/sdm_users
  2. Create a file that matches the desired username; type the string strongdm, save and close.
    sudo vim /etc/ssh/sdm_users/user-one
  3. Modify /etc/ssh/sshd_config and append the following line:
    AuthorizedPrincipalsFile /etc/ssh/sdm_users/%u

You can find additional ways to restrict access by username in Red Hat's Creating SSH Certificates documentation.

Additional Considerations

  • You may have an existing CA key pair and certificate to perform direct SSH or other tasks. You can continue to use this key pair, however you will not be able to import this CA into strongDM.
  • You do not need to sign these keys, or any user keys. strongDM will handle that for you and for your users.
  • Session-based certificates for users are automatically renewed every 3 minutes.

Adding the server to strongDM

From the Servers section on the left hand side, select add server. Choose SSH (Certificate Based) as the Server Type and fill in the host's details. If everything has been configured correctly the healthcheck should turn green.

Add server dialog
Add server dialog

If any errors occur, please copy them into an email and send to support@strongdm.com.

Previous
SSH
Next
SSH Port Forwarding