What is the difference between a server certificate and a user certificate in SSH?

Server certificates authenticate the SSH server, while user certificates are used to authenticate users. They serve different purposes and are independently managed.

How do I configure an SSH server to trust a Certificate Authority (CA)?

Edit your sshd_config file and use the TrustedUserCAKeys directive to point to your CA public key. Restart the SSH service for changes to take effect.

Do I need to update the server certificate when adding new user certificates?

No. Server certificates (host keys) are independent of user certificates. You only need to sign the new user key with the CA and the server will accept it if it trusts the CA.

Why use SSH certificates instead of regular public key authentication?

SSH certificates simplify key management by centralizing trust through a CA. This is ideal for large environments with many servers and users.

Is host-based authentication still used in SSH?

Host-based authentication is an older method and generally less secure. Certificate-based authentication is now preferred for its scalability and security.

HiddenSSH - Secure OpenSSH Hardening | Certificate of Authority

Certificate of authority

Server vs. User Certificates:

The server certificate and user certificates are distinct components within SSH.
Server certificates authenticate the SSH server, while user certificates are used for user authentication.

CA Trust Configuration:

You configure the SSH server to trust a specific CA key, using the TrustedUserCAKeys directive in the server's configuration file (sshd_config).

User Certificate Creation:

You create user certificates by signing your user-specific public key with the trusted CA key. These certificates are associated with your user account.

Authentication:

When you attempt to log in to an SSH server that trusts the CA key, you present your user certificate. The server verifies the certificate against the trusted CA. If the certificate is valid (signed by the trusted CA), the server grants you access.

In summary, you don't need to update the server certificate when creating or updating user certificates with your CA. Server identity is established through its host keys, which is separate from user certificates.

Additional Information:

User certificates offer centralized authentication, and a user's certificate signed by the trusted CA key will work on any server configured to trust that CA.
This approach simplifies key management, especially in larger environments with multiple SSH servers.

SSH Authentication Mechanisms: 1. Signed Certificates:

These certificates use public key certificates for user or host authentication.
A certificate contains a public key and information about the user's or host's identity. The certificate is signed by a certificate authority (CA).
SSH servers are configured to trust the CA key.
Users or hosts present certificates signed by the CA key for authentication.
This method simplifies SSH key management and offers a scalable approach.

2. Host-Based Authentication:

(Note: This method is outdated and has been part of OpenSSH for a long time.)>

In host-based authentication, the server trusts the client host to vouch for the user.
It relies on the client's hostname and username.
The server authenticates the user based on the information provided by the client.
This method is less commonly used and considered less secure than public key-based or certificate-based authentication.

While both mechanisms provide SSH authentication, they serve different purposes and have different security implications.
Signed certificates offer a more structured and secure approach, particularly in complex environments.
Host-based authentication is suitable for trusted, well-controlled environments.

Note: Remember that the choice of authentication method should align with your security requirements and operational needs.

           [ CA SSH ]
             Private
             Key Pair
                |
                | (ca_ed25519, ~/.ssh/keys)
                V
                |
                |
                V
        +-------|--------------+
        |       V              |
        |   [User A] (opc)     | (user_opc_ed25519, ~/.ssh/keys)
        | Public Key           |
        | Certificate          |
        |  (user_opc_ed25519-cert.pub)  |
        |       |              |
        |       |              |
        V       |              V
    +---|-------|---+      +---|-------|---+
    |   V       V   |      |   V       V   |
    | [User A]   |   |      | [User B]   |   |
    | Public Key |   |      | Public Key |   |
    | Certificate|   |      | Certificate|   |
    |    (user_opc_ed25519)   |  |    (user_bob_ed25519)  |
    |       |   |   |      |       |   |   |
    |       |   |   |      |       |   |   |
    V       V   V   V      V       V   V   V
+-------+   +-------+      +-------+   +-------+
|       |   |       |      |       |   |       |
| User A|   | User A|      | User B|   | User B|
|       |   |       |      |       |   |       |
+-------+   +-------+      +-------+   +-------+