SSH 인증을 위한 SSH 인증서를 구성하고 설정하는 방법

SSH 인증을 위한 SSH 인증서를 구성하고 설정하는 방법(Certificate Authority)

SSH 키를 사용하는 인증 시스템을 더욱 효율적이고 안전하게 관리할 수 있게 해줍니다. SSH 인증서 기반 인증은 SSH 키 기반 인증과 유사하지만 중앙의 인증 기관(CA)에서 서명된 인증서를 사용하여 사용자 및 호스트를 인증합니다. 이 방법을 통해 SSH 키의 관리를 간소화하고 특정 키의 수명을 제한하는 등의 작업이 용이해집니다.

테스트 환경

$ cat /etc/redhat-release
CentOS Linux release 8.4.2105

$ yum info openssh-server
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:35:43 ago on Wed Jan 25 00:03:26 2023.
Installed Packages
Name         : openssh-server
Version      : 8.0p1
Release      : 10.el8
Architecture : x86_64
Size         : 1.0 M
Source       : openssh-8.0p1-10.el8.src.rpm
Repository   : @System
From repo    : baseos
Summary      : An open source SSH server daemon
URL          : http://www.openssh.com/portable.html
License      : BSD
Description  : OpenSSH is a free version of SSH (Secure SHell), a program for logging
             : into and executing commands on a remote machine. This package contains
             : the secure shell daemon (sshd). The sshd daemon allows SSH clients to
             : securely connect to your SSH server.

Certificate Authority (CA)

출처-https://miro.medium.com/max/720/1*JHrY8BOjEQ_KEF9hMDYw6Q.webp

도커 컨테이너 실행

- 컨테이너 네트워크 생성

docker network create vnetwork

- auth-server

docker run -d --privileged --cap-add=SYS_ADMIN --name auth-server -h auth-server --net vnetwork anti1346/centos8-sshd:latest /sbin/init

- ssh-server

docker run -d --privileged --cap-add=SYS_ADMIN --name ssh-server -h ssh-server --net vnetwork anti1346/centos8-sshd:latest /sbin/init

- ssh-client

docker run -d --privileged --cap-add=SYS_ADMIN --name ssh-client -h ssh-client --net vnetwork anti1346/centos8-sshd:latest /sbin/init

** root 패스워드 : root

[auth-server]

ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
                  [-m format] [-N new_passphrase] [-O option]
                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
                  [-w provider] [-Z cipher]

auth-server 컨테이너 접근

docker exec -it auth-server bash

CA(Certificate Authority) 인증서 생성

ssh-keygen -t rsa -b 4096 -f Server_CA -C "Server Certificate Authority"

root@auth-server:~$ ssh-keygen -t rsa -b 4096 -f ServerCA -C "Server Certificate Authority"

root@auth-server:~$ ls
Server_CA  Server_CA.pub

[ssh-server]

ssh-server 컨테이너 접근

docker exec -it ssh-server bash

ssh-server에 있는 ssh_host_rsa_key.pub 공개키를 auth-server 서버로 전송(복사)

root@ssh-server:~$ ls /etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub

scp /etc/ssh/ssh_host_rsa_key.pub root@auth-server:~

root@ssh-server:~$ scp /etc/ssh/ssh_host_rsa_key.pub root@auth-server:~

728x90

[auth-server]

ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
                  [-n principals] [-O option] [-V validity_interval]
                  [-z serial_number] file ...

CA 인증서를 이용하여 호스트 키에 대응하는 인증서 생성

root@auth-server:~$ ls
ServerCA  ServerCA.pub  ssh_host_rsa_key.pub

ssh_host_rsa_key-cert.pub 키 생성

ssh-keygen -s Server_CA -I host-ssh-server -h -n ssh-server -V +52w ssh_host_rsa_key.pub

root@auth-server:~$ ssh-keygen -s Server_CA -I host-ssh-server -h -n ssh-server -V +52w ssh_host_rsa_key.pub
Signed host key ssh_host_rsa_key-cert.pub: id "host-ssh-server" serial 0 for ssh-server valid from 2023-01-20T02:52:00 to 2024-01-19T02:53:13

root@auth-server:~$ ls
ServerCA  ServerCA.pub  ssh_host_rsa_key-cert.pub  ssh_host_rsa_key.pub

생성된 ssh_host_rsa_key-cert.pub 키 파일을 다시 ssh-server로 전송(복사)

scp ssh_host_rsa_key-cert.pub root@ssh-server:/etc/ssh/

root@auth-server:~$ scp ssh_host_rsa_key-cert.pub root@ssh-server:/etc/ssh/

[ssh-server]

ssh-server ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집 및 ssh(sshd) 서비스 재시작

root@ssh-server:~$ ls /etc/ssh/ssh_host_rsa_key-cert.pub
/etc/ssh/ssh_host_rsa_key-cert.pub

ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집

echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' >> /etc/ssh/sshd_config

root@ssh-server:~$ echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' >> /etc/ssh/sshd_config

cat /etc/ssh/sshd_config | egrep HostCertificate

root@ssh-server:~$ cat /etc/ssh/sshd_config | egrep HostCertificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

systemctl restart sshd

[auth-server]

ssh-server가 ssh-client를 인증할 수 있도록 client CA(ClientCA) 설정

ssh-keygen -t rsa -b 4096 -f Client_CA -C "Client Certificate Authority"

root@auth-server:~$ ssh-keygen -t rsa -b 4096 -f Client_CA -C "Client Certificate Authority"

root@auth-server:~$ ls
Client_CA  Client_CA.pub  Server_CA  Server_CA.pub  ssh_host_rsa_key-cert.pub  ssh_host_rsa_key.pub

scp Client_CA.pub root@ssh-server:/etc/ssh/

root@auth-server:~$ scp Client_CA.pub root@ssh-server:/etc/ssh/

[ssh-server]

ssh-server ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집 및 ssh(sshd) 서비스 재시작

root@ssh-server:~$ ls /etc/ssh/Client_CA.pub
/etc/ssh/Client_CA.pub

echo 'TrustedUserCAKeys /etc/ssh/Client_CA.pub' >> /etc/ssh/sshd_config

root@ssh-server:~$ echo 'TrustedUserCAKeys /etc/ssh/Client_CA.pub' >> /etc/ssh/sshd_config

cat /etc/ssh/sshd_config | egrep 'HostCertificate|TrustedUserCAKeys'

root@ssh-server:~$ cat /etc/ssh/sshd_config | egrep 'HostCertificate|TrustedUserCAKeys'
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
TrustedUserCAKeys /etc/ssh/ClientCA.pub

systemctl restart sshd

[ssh-client]

ssh-client 컨테이너 접근

docker exec -it ssh-client bash

ClientCA로부터 하위 인증서를 발급하고 ssh-client가 ssh-server로 문제없이 로그인되는지 확인

public/private rsa key pair 생성

ssh-keygen -t rsa -b 4096 -C "root@ssh-client"

root@ssh-client:~$ ssh-keygen -t rsa -b 4096 -C "root@ssh-client"

root@ssh-client:~$ ls ~/.ssh/
id_rsa  id_rsa.pub  known_hosts

생성된 id_rsa.pub 파일을 auth-server로 전송

scp /root/.ssh/id_rsa.pub root@auth-server:~

root@ssh-client:~$ scp /root/.ssh/id_rsa.pub root@auth-server:~

[auth-server]

id_rsa.pub과 ClientCA 인증서를 이용하여 새로운 하위 인증서인 id_rsa-cert.pub 파일 생성
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
                  [-n principals] [-O option] [-V validity_interval]
                  [-z serial_number] file ...

root@auth-server:~$ ls
Client_CA  Client_CA.pub  Server_CA  Server_CA.pub  id_rsa.pub  ssh_host_rsa_key-cert.pub  ssh_host_rsa_key.pub

id_rsa-cert.pub 키 파일 생성

ssh-keygen -I user_identifier -s Client_CA -n root -V +10m id_rsa.pub

root@auth-server:~$ ssh-keygen -I user_identifier -s Client_CA -n root -V +10m id_rsa.pub
Signed user key id_rsa-cert.pub: id "user_identifier" serial 0 for root valid from 2023-01-20T03:11:00 to 2023-01-20T03:22:56

root@auth-server:~$ ls
Client_CA  Client_CA.pub  Server_CA  Server_CA.pub  id_rsa-cert.pub  id_rsa.pub  ssh_host_rsa_key-cert.pub  ssh_host_rsa_key.pub

생성한 id_rsa-cert.pub 파일을 ssh-client로 전송(복사)

scp id_rsa-cert.pub root@ssh-client:/root/.ssh/

root@auth-server:~$ scp id_rsa-cert.pub root@ssh-client:/root/.ssh/

[ssh-client]

ssh-server로 접속 테스트(ssh-client -> ssh-server)

root@ssh-client:~$ ls ~/.ssh/
id_rsa  id_rsa-cert.pub  id_rsa.pub  known_hosts

ssh ssh-server

$ ssh ssh-server
The authenticity of host 'ssh-server (172.19.0.3)' can't be established.
RSA key fingerprint is SHA256:Hhu32zRXVq8rZNS6tErHDRaU0ISBRf9K5u2l9InEtho.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ssh-server,172.19.0.3' (RSA) to the list of known hosts.
root@ssh-server:~$ hostname
ssh-server

10분이 지나면 다시 패스워드를 입력해야 합니다.

$ ssh ssh-server
root@ssh-server's password:

 

참고URL

-90. [SSH] CA를 통한 SSH 접속 방법 및 Vault로 클라이언트 SSH CA 키 관리하기 : https://blog.naver.com/alice_k106/221803861645

- access.redhat.com : 14.3.3. Creating SSH CA Certificate Signing Keys

- DigitalOcean Tutorial : How To Create an SSH CA to Validate Hosts and Clients with Ubuntu

- SSH CA host and user certificates : https://liw.fi/sshca/

- How to Use SSH Certificates for Scalable, Secure, and More Transparent Server Access