Page History

...

Add the following lines to the file '/etc/ssh/sshd_config' to tell the SSH daemon about the public key to verify client certificates. In addition copy the public key to the specified location. The host trusts all certificates the are signed by our CA.

Code Block

language	bash

### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikeyX.pub

...

Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'

Code Block

language	bash

### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

Then we need to populate the principals file:

Code Block

language	bash

mkdir /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root

...

Page tree

Versions Compared

Old Version 8

New Version 9

Key