Configure OpenSSH server for client authentication

To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. Got questions or want to discuss something with our team? Join us on Slack!

Configure OpenSSH server on your hosts to allow client authentication

This document describes how to configure OpenSSH server to allow client authentication using SSH client certificates by trusting the SSH certificate authority (CA). vSSH CLI will request SSH certificates from Venafi SSH Protect.

Prerequisites

To perform the tasks described in this document, you'll need:

• Access to Venafi SSH Protect version 21.4 or further.
• vSSH CLI utility. You can download it from here
• Completed the prerequisites to use vSSH CLI with Venafi SSH Protect document.

OpenSSH server configuration

We are going to configure a Linux host to trust the SSH CA of Venafi SSH Protect.

1. Open terminal and connect to the Linux host that you want to configure.
2. Make sure that you have the vSSH CLI installed. If you don't have it, you can follow the instructions to install it.
3. Retrieve the public key of your SSH CA and store it to a file (e.g., /etc/ssh/trusted_user_ca_keys). Use vssh service ca retrieve command.

user@linux:~$ vssh service ca retrieve
  Logging in as alice...              
? Enter password for user alice: [? for help] ************
  Authenticating...                            
? Select the templates that you want to use: Users - Web Admins
? How are you going to use the retrieved CA keys: I will use them to configure OpenSSH server to allow client access
? Do you want to save the CA keys to the file system? Yes, save them to a file
? Enter file name: /etc/ssh/trusted_user_ca_keys
  Saving CA public keys to /etc/ssh/trusted_user_ca_key

Note: To automate the process of retrieving the CA public key, you can use vssh in noninteractive mode. Just pass all the necessary information using flags. Example: vssh service ca retrieve --no-prompt --template "Users - Web Admins" --use-to-configure openssh_server --out-file trusted_user_ca_keys.pub

4. Open /etc/ssh/sshd_config and add the following lines to the end of the file.

TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys

• TrustUserCAKeys: The public key of the SSH certificate authority used to verify SSH client certificates.

5. Test the OpenSSH server configuration by running the following command:

user@linux:~$ /usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
user@linux:~$ echo $?
0

• /usr/local/sbin/sshd: The path to the OpenSSH server. You may need to change it if OpenSSH server is installed on a different location.

6. Restart OpenSSH server.

user@linux:~$ sudo systemctl restart sshd

Test the configuration

You can test the configuration by connecting to the Linux host from another host (e.g., your workstation).

1. Enroll an SSH certificate for interactive logins using vssh login command.

user@workstation:~$ vssh login
  Logging in as alice...              
? Enter password for user alice: [? for help] ************
  Authenticating...
  Logged in as alice                            
  One template (Users - Web Admins) found. Using it.    
  Your identity is alice            
  Your role is Users - Web Admins (expires in 12 hours) 
  Credentials have been added to your OpenSSH agent. 
  Now you can perform SSH logins to remote servers.

2. Open an interactive SSH session to a remote host.

user@workstation:~$ ssh [email protected]
Linux web.example.com 5.10.0-10-amd64

You have new mail.
Last login: Tue May 17 13:20:12 2022 from 172.17.254.151

alice@web:~$