An X.509 certificate contains a private and a public key. As such it is suitable for password-less login via SSH. However, as always with certificates and keys and all that powerful stuff the handling of it all is very clumsy. Kingsley just explained how to setup SSH with X.509 certificates. I will try to add the missing pieces here.
- If you do not have a X.509 certificate yet create one with an embedded WebID via the OpenLink YouID service. Make sure the details actually get saved in the last step, for example by posting an identity claim to your Twitter or LinkedIn accounts. This will make the YouID service persist your profile which in turn will result in your new WebID being dereferencable. Kingsley has some nice Linked data details on that in his post.
- Export the new certificate which should now be installed in your browser’s key store, into a P12 file. This can be done via the certificate viewer in the browser preferences.
- Convert the P12 into PEM format:
# openssl pkcs12 -in MyCert.p12 -out MyCert.pem -nodes
- Extract the private key from the P12:
# openssl pkcs12 -in MyCert.p12 -out MySSHKeys.pem -nodes -nocerts
- Finally extract the public key from the certificate PEM file and append it to the private key:
# openssl x509 -in MyCert.pem -pubkey -noout >> MySSHKeys.pem
- MyCert.pem can now be removed. It is not required anymore.
- You can use ssh-keygen to create the line to put into your remote ~/.ssh/authorized_keysfile:
# ssh-keygen -i -m PKCS8 -f MySSHKeys.pem
Now you are ready to take your shiny new login stuff for a test drive and log into your remote account via:
# ssh -i MySSHKeys.pem user@REMOTE
And to put the cherry on top you can tell ssh to always use that key with the host in question by adding the following block to your client’s ~/.ssh/config file:
Host REMOTE IdentityFile ~/MySSHKeys.pem
This makes login even easier:
# ssh user@REMOTE