TKey SSH CA

I wrote a stupidly simple SSH certificate authority that can you can use directly over SSH to buy new certificates. It can be used with a Tillitis TKey both for the private key of the CA itself and for the user authentication to get a SSH certificate:

https://github.com/tillitis/tkey-ssh-ca

SSH certificates, as you my know, is a way of using not just key pairs for user authentication, but also solving the problem of public key distribution to the servers you want to log in to. Instead of holding and trusting the user's public key, the server just trusts the CA's public key. When a user comes along with a certificate signed by that CA, they are allowed in.

An SSH certificate can also, like the X.509 certificates you might already know and hate, include timestamps for when the user is allowed to use it. It can also include things like:

• What user they are allowed to login as.
• What commands they are allowed to run.
• … many more things.

You can use the tkey-ssh-ca like this to get a certificate:

$ ssh -p 2222 user@ca-server > cert.pub
$ ssh -i cert.pub user@some-ssh-server

The first commands gets you a certificate and stores it in a file. The second uses the certificate and logs in to the server. That's it.

Kind of neat, huh?

Obviously this small CA isn't very smart. For instance, it just accepts whatever user is in its list of allowed users. It also accepts whatever principal (login name) the user asks for. For a production setup, you would probably want to limit this in some way. I might return to this and add that.

Nota bene: A TKey is (so far) not required to use this program.