OpenSSH certificate authentication
Step 1 is to genereate a CA key pair that will subsequently be used to sign our public key. The following command will genereate ca_rsa and ca_rsa.pub. You will be prompted to enter a passphrase.
ssh-keygen -t rsa -f ca_rsa
Next, we're going to generate a user key pair (id_rsa and id_rsa.pub), if we haven't got one already. You will again be prompted to enter a passphrase.
ssh-keygen -t rsa
Once we have all required keys, we can sign the user key with the CA key.
ssh-keygen -s ca_rsa -I 2 ~/.ssh/id_rsa.pub
This will create a certificate ~/.ssh/id_rsa-cert.pub with id "2" that is valid forever.
The next step is to copy the file ca_rsa.pub to the server and append it to ~/.ssh/authorized_keys
In addition to appending the contents of ca_rsa.pub to ~/.ssh/authorized_keys, we have to prepend it with the string "cert-authority"
Now we can connect to the server using the command
ssh -v -p 1234 -i $HOME/.ssh/id_rsa user@host