SSH CA Server - Certificate Authority for SSH

📖 What is SSH CA Server?

SSH CA Server is a centralized certificate authority for managing SSH access across multiple servers. Instead of distributing public keys manually to each server, you can issue short-lived SSH certificates that are automatically trusted by all configured servers.

Key Features

🔒 Two-Factor Authentication - Password + TOTP for certificate issuance
⏰ Short-lived Certificates - 24-hour validity period (configurable)
🔄 Automatic Renewal - Renew tokens for unattended certificate renewal
📊 Audit Logging - Complete audit trail of all certificate operations
🚀 Easy Deployment - One-command setup for servers and clients

🚀 Quick Start

For Servers (Trust CA)

Run this command on any SSH server to configure it to trust certificates from this CA:

curl -fsSL https://ca.smartcubes.uk/v1/bootstrap/server.sh | sudo bash

This will:

Download the CA public key
Configure sshd to trust CA-signed certificates
Register the server with the CA for audit purposes

For Clients (Get Certificate)

Run this command on your client machine to obtain an SSH certificate:

curl -fsSL https://ca.smartcubes.uk/v1/bootstrap/client.sh | bash

You will be prompted for:

Username
Password
TOTP code (from your authenticator app)

After successful authentication, you'll receive:

SSH certificate (valid for 24 hours)
Renewal token (valid for 90 days)
Auto-configured SSH client settings

Using Your Certificate

Once configured, simply SSH to any server that trusts this CA:

ssh [email protected]

Your SSH client will automatically use the CA certificate for authentication.

🔌 API Reference

GET /v1/ca/user

Download the CA public key

GET /v1/bootstrap/server.sh

Get server bootstrap script

GET /v1/bootstrap/client.sh

Get client bootstrap script

POST /v1/certs/issue

Issue new certificate (requires username + password + TOTP)

POST /v1/certs/renew

Renew existing certificate (requires renewal token)

POST /v1/register/server

💡 Manual Certificate Issuance

If you prefer to use the API directly:

Step 1: Generate SSH Key

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_ca -C "user@client"

Step 2: Request Certificate

curl -X POST https://ca.smartcubes.uk/v1/certs/issue \
  -H "Content-Type: application/json" \
  -d '{
    "username": "your-username",
    "password": "your-password",
    "totp": "123456",
    "public_key": "ssh-ed25519 AAAA...",
    "client_hostname": "laptop",
    "requested_principals": ["your-username"],
    "requested_validity": "24h"
  }' | jq -r '.certificate' > ~/.ssh/id_ed25519_ca-cert.pub

👥 User Management (Administrators)

New users must be created by administrators using one of the following methods:

Method 1: Admin CLI Tool (Recommended)

Use the built-in command-line tool:

./bin/admin -c config.yaml user create \
  --username "john" \
  --password "SecurePass123" \
  --generate-totp \
  --max-certs-per-day 50

The CLI will output the TOTP secret and QR code URL for the user to set up their authenticator app.

Method 2: HTTP API

Create users programmatically via the admin API:

curl -X POST https://ca.smartcubes.uk/v1/admin/users \
  -H "Content-Type: application/json" \
  -H "X-Admin-Token: YOUR_ADMIN_TOKEN" \
  -d '{
    "username": "john",
    "password": "SecurePass123",
    "totp_secret": "BASE32_ENCODED_SECRET",
    "enabled": true,
    "max_certs_per_day": 50
  }'

                    ⚠️ Security Note: Admin tokens are configured in the server's config.yaml file and should be kept secret. Contact your system administrator for access.
                

List Users

./bin/admin -c config.yaml user list

🔐 Security

All communication over HTTPS (TLS 1.3)
Two-factor authentication (TOTP) required for certificate issuance
Short-lived certificates (24-hour default validity)
Renewal tokens are bound to specific public keys
Complete audit logging of all certificate operations
Rate limiting to prevent abuse

📚 Documentation

For administrators and developers:

Complete requirements and design documentation available in the repository
Database schema and audit log structure documented
API reference with examples
Deployment and configuration guides

📖 什么是 SSH CA Server？

SSH CA Server 是一个集中式的SSH证书颁发机构，用于管理多台服务器的SSH访问。无需在每台服务器上手动分发公钥，您可以签发短期有效的SSH证书，这些证书会被所有已配置的服务器自动信任。

核心特性

🔒 双因素认证 - 密码 + TOTP 用于证书签发
⏰ 短期证书 - 24小时有效期（可配置）
🔄 自动续签 - 续签令牌支持无人值守自动续订
📊 审计日志 - 完整的证书操作审计追踪
🚀 易于部署 - 服务器和客户端一键配置

🚀 快速开始

服务器端（信任CA）

在任何SSH服务器上运行以下命令，配置其信任此CA签发的证书：

curl -fsSL https://ca.smartcubes.uk/v1/bootstrap/server.sh | sudo bash

此脚本将：

下载CA公钥
配置sshd信任CA签名的证书
向CA注册服务器信息（用于审计）

客户端（获取证书）

在您的客户端机器上运行以下命令获取SSH证书：

curl -fsSL https://ca.smartcubes.uk/v1/bootstrap/client.sh | bash

您需要输入：

用户名
密码
TOTP验证码（来自您的身份验证器应用）

认证成功后，您将获得：

SSH证书（有效期24小时）
续签令牌（有效期90天）
自动配置的SSH客户端设置

使用证书

配置完成后，直接SSH到任何信任此CA的服务器：

ssh [email protected]

您的SSH客户端将自动使用CA证书进行身份验证。

🔌 API 参考

GET /v1/ca/user

下载CA公钥

GET /v1/bootstrap/server.sh

获取服务器引导脚本

GET /v1/bootstrap/client.sh

获取客户端引导脚本

POST /v1/certs/issue

签发新证书（需要用户名 + 密码 + TOTP）

POST /v1/certs/renew

续签现有证书（需要续签令牌）

POST /v1/register/server

注册服务器（由引导脚本自动调用）

💡 手动签发证书

如果您希望直接使用API：

步骤1：生成SSH密钥