SSH certificates with multi-factor authentication (MFA) provide a modern method for authenticating users using SSH, offering a highly secure and scalable alternative to traditional SSH keys. SSH certificates are requested from a SSH Certificate Authority (CA) which is a trusted entity that signs SSH public keys, vouching for their authenticity. Subsequently, the certificate and the key pair can be used to log into properly configured hosts or services. This simplifies key management, improves security by allowing centralized control over SSH access, and also allow for in-certificate configuration of important SSH parameters, including access rules and time-to-live limits. In addition, a hierarchy of CAs can be configured to allow for the secure federation of users between organizational SSH CA servers.

Quickstart Tutorial

1. Generate a new SSH Key pair:

   On first login generate a new personal standard (public/private) SSH key pair by using the command,

   ssh-keygen -t ed25519 -f ~/.ssh/id_$CA -C "$NAME key pair"
   

   which creates the two files:

   ~/.ssh/id_$CA (private key)
   ~/.ssh/id_$CA.pub (public key)
   

   Always create SSH key pairs with passphrases. You may choose a different key name setting the name in the SSH template below. The name will be saved in the browser's localStorage. Also, consider to check if other pre-loaded keys exist in your SSH agent before use and maybe unload those with the commands:

   ssh-add -L # list keys loaded in the SSH agent
   ssh-add -D # unload keys from the SSH agent
   

   The SSH key pair generation is a run once task, but can be repeated at will if you want to renew your key.

2. Request a Certificate for a specfic key pair:

   Your organizational account has already been authenticated against your home institution, when logging into the DeiC SSH CA portal, and a unique short-lived (30 seconds) token was generated during login which allows you to fetch the time-limited SSH certificate using the command,

   ( umask 0277 && ssh -i ~/.ssh/id_$CA -p $PORT $HOST token $TOKEN > ~/.ssh/id_$CA-cert.pub )
   

   The ssh call results in the CA reading your public key ~/.ssh/id_$CA.pub, signing it with a CA server key, and then return a certificate which is redirected to the certificate file ~/.ssh/id_$CA-cert.pub. Here, the (..) and umask part of the command provide a subshell that creates the certificate file with secure file permissions, e.g., only readable by the user. The content of the certificate (including its lifetime, ranging from seconds to days) can be viewed with the commmand,

   ssh-keygen -Lf ~/.ssh/id_$CA-cert.pub
   

   Use the SSH template to rename your SSH key. The key name should match the name created with ssh-keygen command above.

1. Use a Certificate:

   To use the certificate ~/.ssh/id_$CA-cert.pub (along with its private key) to authenticate on servers that have been configured with the corresponding DeiC user CA public key, just do a standard ssh call,

   ssh -i ~/.ssh/id_$CA user@remotehost
   

   The certificate will be pre-loaded when adding the the SSH key to the SSH agent. If the SSH key is not pre-loaded the users will be asked for the passphrase at login. When properly configured the remotehost trusts the certificate because it was signed by the CA, eliminating the need to trust the user’s key directly.