SSH Certificate Auth
Switching to SSH certificate authentication frees you from the burden of managing unique key pairs for each of your servers. By using a certificate authority managed by strongDM, every connection is secured with a short-lived private/public key pair. This eliminates the risk of lost keys being compromised.
Review strongDM CA Public Key
Every organization in strongDM is automatically assigned a unique CA (certificate authority). This is a cryptographic key pair in charge of issuing and validating certificates for every SSH session. You will need to add the CA's public key as a trusted source on any hosts you want to access with this option.
The CA public key can be seen under
Settings > SSH
Only 1 active CA is permitted per organization. If the CA is rotated, all SSH sessions using the existing CA will be terminated. Please rotate with caution.
Adding the strongDM CA to your hosts
Next we will let your host know to trust certificates issued by your organization's CA.
- Create a file named
/etc/ssh/sdm_ca.puband add the CA public key shown in the previous section.
- With your editor of choice modify
/etc/ssh/sshd_configby appending the following lines.# strongDM CATrustedUserCAKeys /etc/ssh/sdm_ca.pub
- Restart the SSH service on this host for the changes to take effect. The command may differ based on your system configuration, but here is an example:sudo systemctl restart ssh
Restricting access by username
Because the certificates generated by the CA use the datasource settings, anyone with access to modify these settings can change the username and thus elevate their privileges. This would allow them to assume root or any existing account on the target system. Of course, any actions will be logged by strongDM. However, we still strongly recommend disabling SSH access for the root account entirely.
Additionally, you can restrict what users or principals are allowed to authenticate with the CA. Every certificate created by the strongDM CA contains two principals: the username specified in the datasource settings and the literal string "strongdm". You can use the following steps to restrict access to only this user, replacing
user-one with your desired username.
- Create a folder to contain the user files.mkdir /etc/ssh/sdm_users
- Create a file that matches the desired username; type the string
strongdm, save and close.sudo vim /etc/ssh/sdm_users/user-one
/etc/ssh/sshd_configand append the following line:
After setting up the AuthorizedPrincipalsFile, runAuthorizedPrincipalsFile /etc/ssh/sdm_users/%u
sudo systemctl restart sshto force it to reload the file.
You can find additional ways to restrict access by username in Red Hat's Creating SSH Certificates documentation.
- You may have an existing CA key pair and certificate to perform direct SSH or other tasks. You can continue to use this key pair, however you will not be able to import this CA into strongDM.
- You do not need to sign these keys, or any user keys. strongDM will handle that for you and for your users.
- Session-based certificates for users are automatically renewed every 3 minutes.
Adding the server to strongDM
From the Servers section on the left hand side, select
add server. Choose
SSH (Certificate Based) as the Server Type and fill in the host's details. If everything has been configured correctly the healthcheck should turn green.
If any errors occur, please copy them into an email and send to firstname.lastname@example.org.