Ssh X509



If you have a PKI certificate in your Windows PC that you would like to use to log in to your OpenSSH-enabled Linux server, it can be a pain to figure out how to extract the public key from this file and convert it into a format OpenSSH can understand. To start with, we need to find the certificate to use, which is located in the Microsoft Certificate Store. A quick and dirty way to see your certificates is to go into Internet Explorer, find the Internet Options, go to the Content tab, and click on Certificates. Once you locate the certificate you want to use to log in to your OpenSSH server, select it and click the Export… button at the bottom of the Certificates dialog box. This will start the Certificate Export Wizard.

  • $ sudo apt-get update $ sudo apt-get install libc6-dev zlib1g-dev patch libssl-dev.
  • A brief introduction to MongoDB and mongolite for R users. 1.4 Testing with SSL. To run a local mongod with SSL support you need a SSL key and certificate. See the Mongo Configure SSL manual page.

With ssh-keygen. Ssh-keygen -t rsa -b 2048 -f dummy-ssh-keygen.pem -N ' -C 'Test Key' Converting DER to PEM. If you have an RSA key pair in DER format, you may want to convert it to PEM to allow the format conversion below: Generation: openssl genpkey -algorithm RSA -out genpkey-dummy.cer -outform DER -pkeyopt rsakeygenbits:2048 Conversion.

Follow the options below to complete the wizard.

  • Do NOT export the private key
  • Format: DER encoded binary X.509 (.CER)

Now that you have an exported public certificate/key pair, you need to copy this file to your Linux system. You can either do a file copy or open the new certificate file in a text editor and copy the text contents and paste them in a new file in the Linux system. Execute the following command in your Linux system to extract just the public key from your DER-encoded certificate:

$ openssl x509 -in joscor.crt -pubkey -noout > joscor.pub.tmp

Now that you have the public key extracted, it needs to be converted into PKCS#8 OpenSSH format (as it’s currently in OpenSSL format).

$ ssh-keygen -f joscor.pub.tmp -i -m PKCS8 > joscor.pub

Now we have a winner! This file now contains the information to place into your .ssh/authorized_keys file to allow users to authenticate into your OpenSSH server. If you need help with this part or if you’re looking to take security to the next step with the WWPass PassKey hardware token, please refer to the following article: Securing OpenSSH with WWPass PassKey

Ssh X509

Estimated reading time: 9 minutes

By default, Docker runs through a non-networked UNIX socket. It can alsooptionally communicate using SSH or a TLS (HTTPS) socket.

X509

Use SSH to protect the Docker daemon socket

Note

The given USERNAME must have permissions to access the docker socket on theremote machine. Refer to manage Docker as a non-root userto learn how to give a non-root user access to the docker socket.

The following example creates a docker contextto connect with a remote dockerd daemon on host1.example.com using SSH, andas the docker-user user on the remote machine:

After creating the context, use docker context use to switch the docker CLIto use it, and to connect to the remote engine:

Use the default context to switch back to the default (local) daemon:

Alternatively, use the DOCKER_HOST environment variable to temporarily switchthe docker CLI to connect to the remote host using SSH. This does not requirecreating a context, and can be useful to create an ad-hoc connection with a differentengine:

SSH Tips

For the best user experience with SSH, configure ~/.ssh/config as follows to allowreusing a SSH connection for multiple invocations of the docker CLI:

Use TLS (HTTPS) to protect the Docker daemon socket

If you need Docker to be reachable through HTTP rather than SSH in a safe manner,you can enable TLS (HTTPS) by specifying the tlsverify flag and pointing Docker’stlscacert flag to a trusted CA certificate.

Ssh X509

In the daemon mode, it only allows connections from clientsauthenticated by a certificate signed by that CA. In the client mode,it only connects to servers with a certificate signed by that CA.

Advanced topic

Using TLS and managing a CA is an advanced topic. Please familiarize yourselfwith OpenSSL, x509, and TLS before using it in production.

Create a CA, server and client keys with OpenSSL

Note: Replace all instances of $HOST in the following example with theDNS name of your Docker daemon’s host.

First, on the Docker daemon’s host machine, generate CA private and public keys:

Now that you have a CA, you can create a server key and certificatesigning request (CSR). Make sure that “Common Name” matches the hostname you useto connect to Docker:

Note: Replace all instances of $HOST in the following example with theDNS name of your Docker daemon’s host.

Next, we’re going to sign the public key with our CA:

Since TLS connections can be made through IP address as well as DNS name, the IP addressesneed to be specified when creating the certificate. For example, to allow connectionsusing 10.10.10.20 and 127.0.0.1:

Set the Docker daemon key’s extended usage attributes to be used only forserver authentication:

Now, generate the signed certificate:

Authorization plugins offer morefine-grained control to supplement authentication from mutual TLS. In additionto other information described in the above document, authorization pluginsrunning on a Docker daemon receive the certificate information for connectingDocker clients.

Ssh X509 Certificates

For client authentication, create a client key and certificate signingrequest:

Note: For simplicity of the next couple of steps, you may perform thisstep on the Docker daemon’s host machine as well.

To make the key suitable for client authentication, create a new extensionsconfig file:

Now, generate the signed certificate:

After generating cert.pem and server-cert.pem you can safely remove thetwo certificate signing requests and extensions config files:

With a default umask of 022, your secret keys are world-readable andwritable for you and your group.

To protect your keys from accidental damage, remove theirwrite permissions. To make them only readable by you, change file modes as follows:

Certificates can be world-readable, but you might want to remove write access toprevent accidental damage:

Now you can make the Docker daemon only accept connections from clientsproviding a certificate trusted by your CA:

To connect to Docker and validate its certificate, provide your client keys,certificates and trusted CA:

Run it on the client machine

This step should be run on your Docker client machine. As such, youneed to copy your CA certificate, your server certificate, and your clientcertificate to that machine.

Note: Replace all instances of $HOST in the following example with theDNS name of your Docker daemon’s host.

Note:Docker over TLS should run on TCP port 2376.

Warning:As shown in the example above, you don’t need to run the docker clientwith sudo or the docker group when you use certificate authentication.That means anyone with the keys can give any instructions to your Dockerdaemon, giving them root access to the machine hosting the daemon. Guardthese keys as you would a root password!

Secure by default

If you want to secure your Docker client connections by default, you can movethe files to the .docker directory in your home directory --- and set theDOCKER_HOST and DOCKER_TLS_VERIFY variables as well (instead of passing-H=tcp://$HOST:2376 and --tlsverify on every call).

Docker now connects securely by default:

Other modes

If you don’t want to have complete two-way authentication, you can runDocker in various other modes by mixing the flags.

Daemon modes

  • tlsverify, tlscacert, tlscert, tlskey set: Authenticate clients
  • tls, tlscert, tlskey: Do not authenticate clients

Client modes

  • tls: Authenticate server based on public/default CA pool
  • tlsverify, tlscacert: Authenticate server based on given CA
  • tls, tlscert, tlskey: Authenticate with client certificate, do notauthenticate server based on given CA
  • tlsverify, tlscacert, tlscert, tlskey: Authenticate with clientcertificate and authenticate server based on given CA

If found, the client sends its client certificate, so you just needto drop your keys into ~/.docker/{ca,cert,key}.pem. Alternatively,if you want to store your keys in another location, you can specify thatlocation using the environment variable DOCKER_CERT_PATH.

Connecting to the secure Docker port using curl

To use curl to make test API requests, you need to use three extra command lineflags:

Ssh X509

Related information

X509v3-ssh-dss

docker, docs, article, example, ssh, https, daemon, tls, ca, certificate



Comments are closed.