SSH Certificates
Introduction
The SSH protocol supports multiple authentication methods: passwords, public keys, certificates, etc. Certificate-based authentication is one of the most secure approaches. In large elastic cloud environments, users' public keys do not need to be distributed to servers as ~/.ssh/authorized_keys, which reduces operational overhead.
This feature provides a more secure way to connect to Linux nodes.
Benefits of certificate-based authentication
Compared to password and key-based authentication, SSH certificates provide:
- Higher security: SSH certificates use encrypted communication. Private keys must be protected, and certificate-based authentication is generally safer than password-based authentication.
- Convenience: SSH certificates support one-way and mutual authentication, avoiding repeated password prompts.
- Better manageability: SSH certificates support expiration, improving security compared to static keys.
SSH client support for certificates
| Operating system / client | SSH client | Support |
|---|---|---|
| Linux | CentOS 6.x | Verified |
| Linux | CentOS 7.x | Verified |
| Linux | Ubuntu 18.04 | Verified |
| macOS | iTerm2 | Verified |
| PyCharm | Community edition does not support Remote SSH. Professional edition not verified. | Not verified |
| VS Code | Remote SSH | Verified |
| Windows | PowerShell | Verified |
| WSL | Theoretically supported, but not verified successfully. | Not verified |
| Xshell | Supported per official docs: Using the OpenSSH CA (Certificate Authority) in Xshell - Technical Support - NetSarang Computer | Not verified |
| PuTTY | Supported per official docs: Implementing OpenSSH certificate support in PuTTY | Not verified |
| SecureCRT | Supported per official docs: Using X.509 Certificates - SecureCRT Documentation | Not verified |
Log in using SSH certificates
Permissions
- All users can access the SSH key page and add keys.
- When a user logs in to a cluster/desktop using an issued certificate, the certificate can only be used to log in as the current user. Using the certificate to log in as another user is not supported.
- Logging in to non-cluster/non-desktop nodes (such as file systems, management nodes, base nodes) is not supported.
- There is no limit on the number of keys you can add.
- The default SSH certificate validity period is 3 months. Changing the validity period is not currently supported.
Account settings
SSH keys are managed in Account Settings.
Add a key
You can add a key by creating a new key pair or importing a public key.
- Create key pair
After you confirm, the system generates three files: a private key id_rsa_[user]_[date], a public key id_rsa_[user]_[date].pub, and a certificate file id_rsa_[user]_[date]-cert.pub.
- Import public key
You can paste the public key content directly or select a public key file and let the system read it automatically.
If the format is valid, after you confirm, the system generates a certificate file named id_rsa_[user]_[date]-cert.pub.
Use the certificate to log in to clusters/desktops
Place the certificate file and private key in the same directory. If allowed by security group networking, you can log in to any node in clusters/desktops under the current account.