I have the private DSA key in PEM format. What do I do next to access SSH without a password?
Sample certificate in PEM format: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-priv-key.htm
Ah -- I think you are confusing ssh certificates and ssl certificates.
ssh uses two forms of two main forms of two-factor authentication keys: 1) standard RSA or DSA key pairs (public, private) or 2) ssh certificates which (according to man ssh-keygen
)
...consist of a public key, some identity informa- tion, zero or more principal (user or host) names and an optional set of constraints that are signed by a Certification Authority (CA) key.
it goes on to say:
Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).
To generate a normal ssh keypair, do something like the following:
ssh-keygen -t rsa -b 2048 -f test
It is advisable to protect the private key with a password.
Then, by placing the public key (test.pub
in this case) in the file ~/.ssh/authorized_keys on the target host user's login home, you should be able to login to the target host without a password if sshd is configured to allow this.
ssh -i test user@host
To generate an ssh certificate, do something like the following:
ssh-keygen -f ca_key
# generate a ssh keypair for use as a certificatessh-keygen -s ca_key -I cert_identifier -h host_key.pub
TrustedUserCAKeys /etc/ssh/ssh_cert/host_key.pub
ssh-keygen -s ca_key -I cert_identifier user_key.pub
. This should generate user_key-cert.pubAssuming this has all proceeded properly, ssh -i user_key user@host
will use the user_key-cert.pub file and login will proceed automatically (if allowed on the server). The server will log a connection from cert_identifier if so configured.
ssh certificates are a new feature and still need some usability aspects shaken out. The benefits of them include a central signing key, an alternative to constraining connections through authorized_keys and the possibility of limiting the validity timeperiods of ssh certificates.