[SOLVED] SSH Certificate Authorities and Key Signing Not Working

Rocky Linux Help & Support
1

I’ve followed the instructions at SSH Certificate Authorities and Key Signing - Documentation

After seeing some SELinux errors and doing a search, I ran the restorecon command against each of the certificate files and signed public host keys. (maybe that’s something you should add to your doc?)

restorecon /etc/ssh/ca_user_key.pub
restorecon /etc/ssh/ssh_host_rsa_key-cert.pub
restorecon /etc/ssh/ssh_host_ecdsa_key-cert.pub
restorecon /etc/ssh/ssh_host_ed25519_key-cert.pub

I have a signed user key:

ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub
/home/me/.ssh/id_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:Gi6WIWYrgQQuSOrpKQToklWgLVS+JPlgL1Bp3JnFSZM
        Signing CA: ECDSA SHA256:NvM5Sf+5NLbTFC0ax1PwuD12t71fQbmjYOt9FP9vwpE (using ecdsa-sha2-nistp256)
        Key ID: "me@mycompany"
        Serial: 1744796900
        Valid: from 2025-04-16T05:47:00 to 2025-04-16T05:48:28
        Principals:
                rocky
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

I try to log in with ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa rocky@10.1.11.186, but it fails

rocky@10.1.11.186: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Trying with the -v flag shows that client side, it’s picking up and offering the signed public key:

debug1: Offering public key: /home/me/.ssh/id_rsa-cert.pub RSA-CERT SHA256:Gi6WIWYrgQQuSOrpKQToklWgLVS+JPlgL1Bp3JnFSZM explicit

The contents of /var/log/audit/audit.log is:

type=CRYPTO_KEY_USER msg=audit(1744799901.528:1358364): pid=380079 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:61:52:ae:aa:63:d5:4f:26:59:07:21:38:49:b1:c3:8a:98:50:45:99:19:9e:f6:6d:0d:7a:7f:35:65:c3:38:dc direction=? spid=380079 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" SUID="root"
type=CRYPTO_SESSION msg=audit(1744799901.624:1358365): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=380079 suid=74 rport=23168 laddr=10.1.11.186 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRYPTO_SESSION msg=audit(1744799901.624:1358366): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=curve25519-sha256 spid=380079 suid=74 rport=23168 laddr=10.1.11.186 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=USER_AUTH msg=audit(1744799902.169:1358367): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rocky" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=ssh res=failed'UID="root" AUID="unset"
type=USER_AUTH msg=audit(1744799902.271:1358368): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rocky" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=ssh res=failed'UID="root" AUID="unset"
type=USER_AUTH msg=audit(1744799902.376:1358369): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="rocky" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=ssh res=failed'UID="root" AUID="unset"
type=CRYPTO_KEY_USER msg=audit(1744799902.480:1358370): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=380079 suid=74 rport=23168 laddr=10.1.11.186 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=CRYPTO_KEY_USER msg=audit(1744799902.480:1358371): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:61:52:ae:aa:63:d5:4f:26:59:07:21:38:49:b1:c3:8a:98:50:45:99:19:9e:f6:6d:0d:7a:7f:35:65:c3:38:dc direction=? spid=380079 suid=74  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" SUID="sshd"
type=USER_ERR msg=audit(1744799902.481:1358372): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=10.1.1.221 addr=10.1.1.221 terminal=ssh res=failed'UID="root" AUID="unset"
type=CRYPTO_KEY_USER msg=audit(1744799902.481:1358373): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:61:52:ae:aa:63:d5:4f:26:59:07:21:38:49:b1:c3:8a:98:50:45:99:19:9e:f6:6d:0d:7a:7f:35:65:c3:38:dc direction=? spid=380078 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" SUID="root"
type=USER_LOGIN msg=audit(1744799902.481:1358374): pid=380078 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="rocky" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.221 terminal=ssh res=failed'UID="root" AUID="unset"

UPDATE: Figured it out… I somehow messed up the validity period.