SSH 인증을 위한 SSH 인증서를 구성하고 설정하는 방법(Certificate Authority)
테스트 환경
$ cat /etc/redhat-release
CentOS Linux release 8.4.2105
$ yum info openssh-server
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:35:43 ago on Wed Jan 25 00:03:26 2023.
Installed Packages
Name : openssh-server
Version : 8.0p1
Release : 10.el8
Architecture : x86_64
Size : 1.0 M
Source : openssh-8.0p1-10.el8.src.rpm
Repository : @System
From repo : baseos
Summary : An open source SSH server daemon
URL : http://www.openssh.com/portable.html
License : BSD
Description : OpenSSH is a free version of SSH (Secure SHell), a program for logging
: into and executing commands on a remote machine. This package contains
: the secure shell daemon (sshd). The sshd daemon allows SSH clients to
: securely connect to your SSH server.
Certificate Authority (CA)
도커 컨테이너 실행
- 컨테이너 네트워크 생성
docker network create vnetwork
- auth-server
docker run -d --privileged --cap-add=SYS_ADMIN --name auth-server -h auth-server --net vnetwork anti1346/centos8-sshd:latest /sbin/init
- ssh-server
docker run -d --privileged --cap-add=SYS_ADMIN --name ssh-server -h ssh-server --net vnetwork anti1346/centos8-sshd:latest /sbin/init
- ssh-client
docker run -d --privileged --cap-add=SYS_ADMIN --name ssh-client -h ssh-client --net vnetwork anti1346/centos8-sshd:latest /sbin/init
** root 패스워드 : root
[auth-server]
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
[-m format] [-N new_passphrase] [-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
auth-server 컨테이너 접근
docker exec -it auth-server bash
CA(Certificate Authority) 인증서 생성
ssh-keygen -t rsa -b 4096 -f Server_CA -C "Server Certificate Authority"
root@auth-server:~$ ssh-keygen -t rsa -b 4096 -f ServerCA -C "Server Certificate Authority"
root@auth-server:~$ ls
Server_CA Server_CA.pub
[ssh-server]
ssh-server 컨테이너 접근
docker exec -it ssh-server bash
ssh-server에 있는 ssh_host_rsa_key.pub 공개키를 auth-server 서버로 전송(복사)
root@ssh-server:~$ ls /etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
scp /etc/ssh/ssh_host_rsa_key.pub root@auth-server:~
root@ssh-server:~$ scp /etc/ssh/ssh_host_rsa_key.pub root@auth-server:~
[auth-server]
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
[-n principals] [-O option] [-V validity_interval]
[-z serial_number] file ...
CA 인증서를 이용하여 호스트 키에 대응하는 인증서 생성
root@auth-server:~$ ls
ServerCA ServerCA.pub ssh_host_rsa_key.pub
ssh_host_rsa_key-cert.pub 키 생성
ssh-keygen -s Server_CA -I host-ssh-server -h -n ssh-server -V +52w ssh_host_rsa_key.pub
root@auth-server:~$ ssh-keygen -s Server_CA -I host-ssh-server -h -n ssh-server -V +52w ssh_host_rsa_key.pub
Signed host key ssh_host_rsa_key-cert.pub: id "host-ssh-server" serial 0 for ssh-server valid from 2023-01-20T02:52:00 to 2024-01-19T02:53:13
root@auth-server:~$ ls
ServerCA ServerCA.pub ssh_host_rsa_key-cert.pub ssh_host_rsa_key.pub
생성된 ssh_host_rsa_key-cert.pub 키 파일을 다시 ssh-server로 전송(복사)
scp ssh_host_rsa_key-cert.pub root@ssh-server:/etc/ssh/
root@auth-server:~$ scp ssh_host_rsa_key-cert.pub root@ssh-server:/etc/ssh/
[ssh-server]
ssh-server ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집 및 ssh(sshd) 서비스 재시작
root@ssh-server:~$ ls /etc/ssh/ssh_host_rsa_key-cert.pub
/etc/ssh/ssh_host_rsa_key-cert.pub
ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집
echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' >> /etc/ssh/sshd_config
root@ssh-server:~$ echo 'HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' >> /etc/ssh/sshd_config
cat /etc/ssh/sshd_config | egrep HostCertificate
root@ssh-server:~$ cat /etc/ssh/sshd_config | egrep HostCertificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
systemctl restart sshd
[auth-server]
ssh-server가 ssh-client를 인증할 수 있도록 client CA(ClientCA) 설정
ssh-keygen -t rsa -b 4096 -f Client_CA -C "Client Certificate Authority"
root@auth-server:~$ ssh-keygen -t rsa -b 4096 -f Client_CA -C "Client Certificate Authority"
root@auth-server:~$ ls
Client_CA Client_CA.pub Server_CA Server_CA.pub ssh_host_rsa_key-cert.pub ssh_host_rsa_key.pub
scp Client_CA.pub root@ssh-server:/etc/ssh/
root@auth-server:~$ scp Client_CA.pub root@ssh-server:/etc/ssh/
[ssh-server]
ssh-server ssh 환경 설정 파일(/etc/ssh/sshd_config) 편집 및 ssh(sshd) 서비스 재시작
root@ssh-server:~$ ls /etc/ssh/Client_CA.pub
/etc/ssh/Client_CA.pub
echo 'TrustedUserCAKeys /etc/ssh/Client_CA.pub' >> /etc/ssh/sshd_config
root@ssh-server:~$ echo 'TrustedUserCAKeys /etc/ssh/Client_CA.pub' >> /etc/ssh/sshd_config
cat /etc/ssh/sshd_config | egrep 'HostCertificate|TrustedUserCAKeys'
root@ssh-server:~$ cat /etc/ssh/sshd_config | egrep 'HostCertificate|TrustedUserCAKeys'
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
TrustedUserCAKeys /etc/ssh/ClientCA.pub
systemctl restart sshd
[ssh-client]
ssh-client 컨테이너 접근
docker exec -it ssh-client bash
ClientCA로부터 하위 인증서를 발급하고 ssh-client가 ssh-server로 문제없이 로그인되는지 확인
public/private rsa key pair 생성
ssh-keygen -t rsa -b 4096 -C "root@ssh-client"
root@ssh-client:~$ ssh-keygen -t rsa -b 4096 -C "root@ssh-client"
root@ssh-client:~$ ls ~/.ssh/
id_rsa id_rsa.pub known_hosts
생성된 id_rsa.pub 파일을 auth-server로 전송
scp /root/.ssh/id_rsa.pub root@auth-server:~
root@ssh-client:~$ scp /root/.ssh/id_rsa.pub root@auth-server:~
[auth-server]
id_rsa.pub과 ClientCA 인증서를 이용하여 새로운 하위 인증서인 id_rsa-cert.pub 파일 생성
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
[-n principals] [-O option] [-V validity_interval]
[-z serial_number] file ...
root@auth-server:~$ ls
Client_CA Client_CA.pub Server_CA Server_CA.pub id_rsa.pub ssh_host_rsa_key-cert.pub ssh_host_rsa_key.pub
id_rsa-cert.pub 키 파일 생성
ssh-keygen -I user_identifier -s Client_CA -n root -V +10m id_rsa.pub
root@auth-server:~$ ssh-keygen -I user_identifier -s Client_CA -n root -V +10m id_rsa.pub
Signed user key id_rsa-cert.pub: id "user_identifier" serial 0 for root valid from 2023-01-20T03:11:00 to 2023-01-20T03:22:56
root@auth-server:~$ ls
Client_CA Client_CA.pub Server_CA Server_CA.pub id_rsa-cert.pub id_rsa.pub ssh_host_rsa_key-cert.pub ssh_host_rsa_key.pub
생성한 id_rsa-cert.pub 파일을 ssh-client로 전송(복사)
scp id_rsa-cert.pub root@ssh-client:/root/.ssh/
root@auth-server:~$ scp id_rsa-cert.pub root@ssh-client:/root/.ssh/
[ssh-client]
ssh-server로 접속 테스트(ssh-client -> ssh-server)
root@ssh-client:~$ ls ~/.ssh/
id_rsa id_rsa-cert.pub id_rsa.pub known_hosts
ssh ssh-server
$ ssh ssh-server
The authenticity of host 'ssh-server (172.19.0.3)' can't be established.
RSA key fingerprint is SHA256:Hhu32zRXVq8rZNS6tErHDRaU0ISBRf9K5u2l9InEtho.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ssh-server,172.19.0.3' (RSA) to the list of known hosts.
root@ssh-server:~$ hostname
ssh-server
10분이 지나면 다시 패스워드를 입력해야 합니다.
$ ssh ssh-server
root@ssh-server's password:
참고URL
-90. [SSH] CA를 통한 SSH 접속 방법 및 Vault로 클라이언트 SSH CA 키 관리하기 : https://blog.naver.com/alice_k106/221803861645
- access.redhat.com : 14.3.3. Creating SSH CA Certificate Signing Keys
- DigitalOcean Tutorial : How To Create an SSH CA to Validate Hosts and Clients with Ubuntu
- SSH CA host and user certificates : https://liw.fi/sshca/
- How to Use SSH Certificates for Scalable, Secure, and More Transparent Server Access
'리눅스' 카테고리의 다른 글
docker nettools (0) | 2023.01.25 |
---|---|
[리눅스] centos에 hashicorp vault를 설치하는 방법(installing vault) (0) | 2023.01.25 |
[리눅스] centos 8 Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist (0) | 2023.01.25 |
[draft] 우분투에 HashiCorp Vault를 설치하는 방법 (0) | 2023.01.18 |
CentOS 7 컨테이너 내에서 systemctl을 사용하는 방법(centos init) (0) | 2023.01.18 |