...
To enable certificate based login on a host, the public rsa key
needs to be signed. The resulting certificate is called '
ssh_host_rsa_key.pub'
'
ssh_host_rsa_key-cert.pub'
. To enable ssh based login two things are required on the host:
- host certificate:
'
ssh_host_rsa_key-cert.pub
'
- CA public key:
'
yubikeyX.pub'
Step 1 - Host Certifiacte
To tell the SSH daemon about the certificate add the following configuration lines to the file '
/etc/ssh/sshd_config'
. In addition copy the certificate to the specified location. The host sends this certificate to the client to identify itsself as a trusted host.
...
Add the following lines to the file
to tell the SSH daemon about the public key to verifiy client certificates. In addition copy the public key to the specified location. The host trusts all certifactes the are signed by our CA.'
/etc/ssh/sshd_config'
...
Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '
/etc/ssh/sshd_config'
Code Block |
---|
### Auth Principals AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u |
...
This allows to all users to loggin login as root that have either host.netdef.org
or root-everywhere
specified in the list of principals within their certificate.
You can control access to any other local user by creating the coresponding files under '
/etc/ssh/auth_principals
'
.
Step 4 - Restart SSH
Note |
---|
Restart SSH to apply all the changes! |
...