An X.509 certificate contains a private and a public key. As such it is suitable for password-less login via SSH. However, as always with certificates and keys and all that powerful stuff the handling of it all is very clumsy. Kingsley just explained how to setup SSH with X.509 certificates. I will try to add the missing pieces here.
- If you do not have a X.509 certificate yet create one with an embedded WebID via the OpenLink YouID service. Make sure the details actually get saved in the last step, for example by posting an identity claim to your Twitter or LinkedIn accounts. This will make the YouID service persist your profile which in turn will result in your new WebID being dereferencable. Kingsley has some nice Linked data details on that in his post.
- Export the new certificate which should now be installed in your browser’s key store, into a P12 file. This can be done via the certificate viewer in the browser preferences.
- Convert the P12 into PEM format:
# openssl pkcs12 -in MyCert.p12 -out MyCert.pem -nodes
- Extract the private key from the P12:
# openssl pkcs12 -in MyCert.p12 -out MySSHKeys.pem -nodes -nocerts
- Finally extract the public key from the certificate PEM file and append it to the private key:
# openssl x509 -in MyCert.pem -pubkey -noout >> MySSHKeys.pem
- MyCert.pem can now be removed. It is not required anymore.
- You can use ssh-keygen to create the line to put into your remote ~/.ssh/authorized_keysfile:
# ssh-keygen -i -m PKCS8 -f MySSHKeys.pem
Now you are ready to take your shiny new login stuff for a test drive and log into your remote account via:
# ssh -i MySSHKeys.pem user@REMOTE
And to put the cherry on top you can tell ssh to always use that key with the host in question by adding the following block to your client’s ~/.ssh/config file:
Host REMOTE IdentityFile ~/MySSHKeys.pem
This makes login even easier:
# ssh user@REMOTE
Thank you! I’ve been waiting for the perfect explanation on how to do this for awhile now….
Just to expand the tip about the ~/.ssh/config file, you can also enter the username and some other info there. Something like this works for me:
Host projetos.xxx.com.br
User ubuntu
Port 22
IdentityFile ~/.ssh/key1.pem
Host awshost.xxxx.net
User ec2-user
Port 22
IdentityFile ~/.ssh/awsadmin.key
So I only need to type
ssh projetos.xxx.com.br
Much better would be to use an OpenPGP certificate for SSH login: http://web.monkeysphere.info/why/#index2h2
I just like the helpful information you provide to your articles. I’ll bookmark your blog and take a look at again here frequently. I’m fairly sure I will be informed many new stuff right here! Good luck for the next!
This is a very good article on SSH login without password. Here is another one that worked for me when I first started doing this. It’s very simple, concise and easy to understand. http://tinyurl.com/m9ztegw
Interesting article, I use my SuisseID Hard Token for SSH Logins now.
But what you’re doing is basicly “converting” an X.509-Key to an OpenSSH Key. The “key feature” (in my view) of a X.509 PKI got lost: The possibility to revoke a key.
Reblogged this on scuba323 and commented:
I like this!
Reblogged this on Raw Foo and commented:
Useful…