Generate Ssh_host_ecdsa_key

Posted on by

This repo contains a showcase of how to use SSH certificates (for hosts & users) generated by step-ca using the step CLI'sssh sub-command.

Only RSA is an encryption algorithm. Both DSA and ECDSA are used for digital signing - the latter being an Elliptic Curve implementation of DSA (Digital Signature Algorithm). Elliptic curve cryptography is able to provide the same security level as RSA with a smaller key and is a 'lighter calculation' workload-wise. Jan 28, 2011  Welcome to LinuxQuestions.org, a friendly and active Linux Community. You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Copy the local host's public keys to the sshknownhosts file at the remote host. The client uses the sshknownhosts file to verify the identity of the remote host. Log into the remote host. Append the local host's public keys to the /etc/ssh/sshknownhosts file at the remote host.

If you haven't already you should read our blogpost on why SSH certificatesare better than SSH public keys for authentication and how you can achieve defacto SSH Single Sign-on while doing away with pesky public key managementacross your server fleet.

This document describes:

  • how to provision step-ca to issue SSH host & user certificates.
  • how sshd is configured to accept user certificates for client authentication using a CA key.
  • how sshd is configured to present a host certificate for host authentication on the client-side.
  • how to configure a user's ssh to accept host certificate signed by a CA key.
  • how to configure a user's ssh to present a user certificate for authentication on the server-side.

The code in this repo comes with a pre-generated PKI. You will need stepv0.13.3+ (installation docs)and Vagrant (plus a provider likeVirtualBox) installed locally.

Ssh ecdsa key fingerprint

Setup VM

We're going to run a CA in your local environment, and we'll use ssh toconnect to a Vagrant VM(representing a remote host) that has sshd pre-configured to acceptuser certificates signed by our CA.

With Vagrant installed, run the following commands inside the repo:

Configure ssh client to accept host certs

Go ahead and follow the instructions printed by Vagrant. This will enable yourlocal SSH client to accept SSH host certificates (signed by the root SSH hostprivate key). The following command will append the SSH host CA key(root SSH host public key corresponding to the root SSH host private key) toyour local known_hosts file:

You can also find the root SSH host CA key stored atstep/certs/ssh_host_key.pub in this repo.

Certificates bind names to public keys. This SSH host certificate has theidentity testhost which is why the following entry must be added to thelocal /etc/hosts file on the VM:

Configure sshd to accept user certs

Vagrant has already configured sshd on testhost, the VMgenerated by Vagrant. Acrobat 7 professional key generator. Please note that for demo purposes the PKI is shared withthe VM using a shared directory mount. Below you can see the relevant linesfrom the testhost VM's sshd_config:

  • TrustUserCAKeys: The root SSH user public key used to verify SSHuser certificates.
  • HostKey: The SSH private key specific to this host.
  • HostCertificate: The SSH public certificate that uniquelyidentifies this host (signed by the root SSH host private key).

Login to VM via SSH user cert

Generate Ecdsa Ssh Key

A valid user certificate is required to log into the testhost VM. Using thestep CLI we will authenticate with our SSH-enabled CA and fetch a new SSHcertificate.

In one terminal window run the following command to startup your CA (passwordis password):

In another terminal window run:

NOTE: step-ca enforces authentication for all certificate requests and usesthe concept ofprovisionersto carry out this enforcement. Provisioners are configured instep/config/ca.json. Authenticating as one of the sanctioned provisionersindicates to step-ca that you have the right to provisione newcertificates. In the above invocation of step ssh certificate we haveauthenticated our request using a JWK provisioner, which simply requires apassword to decrypt a private key. However, there are a handful of supportedprovisioners, each with it's own authentication methods. The OIDC provisioneris particularly interesting for SSH user certificates because it enablesSingle Sign-On SSH.

Conveniently, step ssh certificate adds the new SSH user certificate to yourlocal ssh agent. The default lifetime of an SSH certificate from step-ca is4hrs. The lifetime can be configured using command line options (run step ssh certificate -h for documentation and examples).

Boom! As you can see the testhost VM will welcome you with a matchingtestuser@testhost prompt.

Learn how to use OAuth OIDC proviers like Gsuite or Instance Identity Documentsto bootstrap SSH host and user certificates in our blog post If you’re not using SSHcertificates you’re doing SSHwrong or check out thestep CLI reference athttps://smallstep.com/docs/cli/ssh/.

Generate ssh host certificates

This example repo includes a pre-generated SSH host certificate and key. To replace itor generate SSH certificates for other hosts running following command:

Where --principal identifies the hostname(s) (ideally FQDNs) for the machine.For a single principal you can short cut the command to:

Generate your own PKI for step-ca

We recommend using your own PKI for usage outside of this example. You caninitialize your step-ca withboth X509 and SSH certificates using the following command:

Now you can launch your instance ofstep-ca with your own PKI likeso:

Please note that after you regenerate ssh_host_key.pub and ssh_user_key.pubyou will have to reconfigure ssh and sshd for clients and hosts to acceptthe new CA keys. Check out this host bootstrapping script forconfiguration examples.

Generate Ssh_host_ecdsa_key Account

Objective

On NetScaler's SSH implementation, we use a 2048 RSA Key and 1024 DSA Key for SSH.
For some security scans, the 1024 DSA Key size can cause alerts.
These would be considered negligible alerts and if the security of the SSH access is a concern, please upgrade to the latest version of 12.0 onwards and follow CTX209398
With this being said, you can change the Host Keys on NetScaler to switch the DSA key with a more secure ECDSA key.
Please note, when making changes to the SSH parameters of a NetScaler, this may cause conflicts with other devices connecting or managing NetScaler using SSH (e.g. ADM)
Please always take a backup of all modified files and test within a controlled environment before making any of these changes.

Instructions

Log onto the NetScaler, via SSH and drop into the shell.
From here, run the command 'ssh-keygen -t ecdsa -b 521' to generate a Public-Private ECDSA Key Pair, using the 521 curve.
https://www.ssh.com/ssh/keygen/
During the instruction steps, press Enter on each to use the defaults.
We do not want to encrypt the keys:
After doing this use the command 'mv /root/.ssh/id_ecdsa* /nsconfig/ssh/' to move the newly created keys to the SSH Directory.
Then rename the keys to the correct naming convention using the mv commands, as below.
The directory should look at below:
root@NS-LAB# mv /root/.ssh/id_ecdsa* /nsconfig/ssh/
root@NS-LAB# mv /nsconfig/ssh/id_ecdsa /nsconfig/ssh/ssh_host_ecdsa_key
root@NS-LAB# mv /nsconfig/ssh/id_ecdsa.pub /nsconfig/ssh/ssh_host_ecdsa_key.pub
root@NS-LAB#
root@NS-LAB#
root@NS-LAB# ls -l /nsconfig/ssh/
total 16
-rw------- 1 root wheel 668 Jan 31 21:23 ssh_host_dsa_key
-rw-r--r-- 1 root wheel 601 Jan 31 21:23 ssh_host_dsa_key.pub
-rw------- 1 root wheel 365 Feb 1 15:22 ssh_host_ecdsa_key
-rw-r--r-- 1 root wheel 265 Feb 1 15:22 ssh_host_ecdsa_key.pub
-rw------- 1 root wheel 972 May 22 2018 ssh_host_key
-rw-r--r-- 1 root wheel 637 May 22 2018 ssh_host_key.pub
-rw------- 1 root wheel 1675 May 22 2018 ssh_host_rsa_key
-rw-r--r-- 1 root wheel 389 May 22 2018 ssh_host_rsa_key.pub
Finally, we now need to edit the SSH configuration file to stop using DSA and use the ECDSA in its place.
Make a copy of the /nsconfig/sshd_config file, by running the command 'cp /nsconfig/sshd_config /nsconfig/sshd_config.bkp'
You can edit the config file, using the command 'ee /nsconfig/sshd_config', then edit the below line, to point to the new key:
You can then use Esc and then follow the prompts to save the file.
Please use 'cat' on the file to confirm it has been written to correctly.
After doing this, please restart the SSH process by checking the pid:
root@NS-LAB# ps -auxx grep sshd
root 989 0.0 0.1 27312 2284 ?? Is 9:23PM 0:00.08 /usr/sbin/sshd -f /etc/sshd_config
root 96331 0.0 0.3 27312 4824 ?? Ss 3:22PM 0:00.05 sshd: nsroot@pts/0 (sshd)
root 97645 0.0 0.1 9096 1384 0 S+ 3:36PM 0:00.00 grep sshd
Then run the command 'kill -HUP 989'

Disclaimer

Generate Ssh_host_ecdsa_key Address

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.