Page:
Certificate Authentication
Pages
About Win32 OpenSSH and Design Details
Area Owners
Build OpenSSL
Building OpenSSH for Windows (using LibreSSL crypto)
Building Win32 OpenSSH on Linux
Certificate Authentication
DefaultShell
Deploy Win32 OpenSSH
Difference between openssh 5.9p1 and nomachine implementation
Dos2Unix Text file format converters
Eclipse CDT and GDB setup to debug SSH tools
FIDO U2F usage
Home
How to retrieve links to latest packages
Install Win32 OpenSSH Using MSI
Install Win32 OpenSSH
Intro Links for Penetration Testing
Logging Facilities
Migrate sshd_config from older versions
OpenSSH 32 bit Build and Installation Instructions
OpenSSH 64 bit Build and Installation Instructions
OpenSSH build sequence
OpenSSH utility scripts to fix file permissions
Project Scope
Project Status
Run OpenSSH Pester Tests
Run commands for various shells
Running Tests
SSH remote sessions on Windows
Security protection of various files in Win32 OpenSSH
Setting up a Git server on Windows using Git for Windows and Win32_OpenSSH
Setup public key based authentication for windows
TTY PTY support in Windows OpenSSH
Troubleshooting Steps
Various Considerations
Win32 OpenSSH RoadMap
[Deprecated] Building using VS 2015
[Deprecated] Win32 OpenSSH Automated Install and Upgrade using Chocolatey
sftp.exe examples
ssh agent
ssh.exe examples
ssh
ssh_config
sshd
sshd_config
3
Certificate Authentication
Manoj Ampalam edited this page 2018-05-31 10:56:10 -07:00
Table of Contents
Setup SSHD server for certificate based user authentication
- Generate CA keys (just like any other keys)
ssh-keygen -t rsa -f ca_userkeys
- Register above key as trusted CA for sshd. Add following entry in sshd_config
TrustedUserCAKeys ca_userkeys.pub- Path above is relative to sshd binaries directory. Absolute path is recommended to avoid confusion
- Prior to v7.7.0.0, check out #1055 for considerations while working with domain accounts.
At this point, server can accept any user certificates signed using ca_userkeys and there is no need to explicitly map user keys in authorized_keys
Signing user keys
- sign user keys using ssh-keygen
ssh-keygen.exe -s ca_userkeys -I cert_identity -V -1w:+54w5d -n username id_rsa.pubusernameshould match the user to be authenticated
Manuals
Installation
- MSI Install Instructions
- Script Install Instructions
- Alternative installation using the universal installer
- Retrieving download links for the latest packages
Usage
- SSH Usage Examples
- SFTP Usage Examples
- Using Certificate Authentication
- Fix SSH file permissions
- Info on SSH remote sessions on Windows
- TTY PTY support
- Troubleshooting