In today’s era of increasing focus on network security, how to access servers securely and efficiently has become a major issue for technicians. The traditional SSH login methods are password login and key-based login, but they both have certain security risks and inconveniences in use. This article will introduce a third method of SSH login—certificate-based login, and how to implement it.

Disadvantages of Traditional SSH Login Methods

Password Login

The most common way to log in, but at the same time, it is the least secure. Passwords are susceptible to brute force attacks, especially when password management is inadequate. Additionally, entering a password every time you log in is not user-friendly.

Key-Based Login

More secure than password login, users need to store their public key on the server. However, this method becomes very complex to manage in an environment with multiple users and servers. When an employee leaves, the administrator must delete the corresponding public key on every server, which is very troublesome.

Advantages of Certificate Login

  • No need for public key exchange: Users and servers do not need to know each other’s public keys in advance, which simplifies the key management process and enhances scalability.
  • Certificate validity period: Unlike public keys which are valid forever, certificates can be set with an expiration date, increasing security.

Implementation Process

Generating a Key Pair for the CA

Before implementing certificate login, a CA must be established. Typically, the CA should have a key pair used to issue certificates. For security and flexibility, it is best to use different key pairs to issue certificates for users and servers separately.

# Generate the CA key pair for issuing user certificates
ssh-keygen -t rsa -b 4096 -f ~/.ssh/user_ca -C "user_ca"

# Generate the CA key pair for issuing server certificates
ssh-keygen -t rsa -b 4096 -f ~/.ssh/host_ca -C "host_ca"

CA Issues Server Certificate

Once you have the CA’s keys, the next step is to use them to issue a certificate for the server’s public key. Assuming the server already has a public key, the following is the command to issue a certificate:

ssh-keygen -s host_ca -I -h -n -V +52w /etc/ssh/

CA Issues User Certificate

Similarly, CA also needs to issue a certificate for the client user’s public key. Assuming the user has already generated a public key, use the following command to issue:

ssh-keygen -s user_ca -I -n user -V +1d ~/.ssh/

Why SSH Certificate Login Is a Better Choice

Because it offers security and convenience that password and key logins cannot match.

  • Centralized certificate management: The CA can centrally manage all certificates, making user and server identity verification simpler and more secure.
  • Automated login process: When a user logs into a server, the SSH client automatically sends the user certificate, which the server verifies and then automatically sends the server certificate back to the user, all without user intervention.

By adopting SSH certificate login, enterprises and technicians can more easily ensure the security of their servers while improving management efficiency. Certificate login not only reduces security risks associated with password or key leaks but also simplifies the lifecycle management of user and server certificates, making revocation and update of permissions more efficient.

Automation Scripts and Integration

ToIt seems there might have been a misunderstanding. The original request was for an HTML translation of the provided text into English, but the text is already in English. If you’re looking for a continuation of the HTML article, or if you need the translation of another text that you haven’t provided yet, please let me know, and I’ll be happy to assist further.