Versions Compared

Old Version 9

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 10

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1 Abstract

There As there are two different things needed to setup the certificate authentification.

user certificates: There are N user certifiactes, one for each public key provided for signing.

Code Block
languagebash
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

host certificate public key: There is one public key to authenticate servers.

...

languagebash

...

types of certificates, there are two individual tasks as well in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.

Configuration paths

There are two different options to tell the ssh daemon about the certificate: 'user based' (recommended)  or 'global'

  • 'user based': The certificate is valid for one specific user on the client.

  • 'global': The certificate is valid for each user on the client.

user based

  • Code Block
    languagebash
    SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts


  • 'global': The certificate is valid for each user on the client.

    Code Block
    languagebash
    SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts


2 Host certificate

To setup the host certificate the public key of the CA authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

Add the following line to '$SSH_KNOWNHOSTS' where 'yubikeyX.pub' must be replaced with the public key stored in 'yubikeyX.pub'.

Code Block
languagebash
@cert-authority *.netdef.org `yubikey1.pub`
@cert-authority *.netdef.org `yubikey2.pub`
@cert-authority *.netdef.org `yubikey3.pub`

3 Client Certificate

Step 1 - Sign client's public key

One can either use the public key file that is stored on github or one can manually copy the id_rsa.pub file to the CA authority.

The instructions how to singed a clients public key can be found here.

The CA provides a zip file where all signed keys are stored.

Code Block
languagebash
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

Step 2 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.

Code Block
languagebash
mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step

...

3 - edit the config file


Add the following lines to '$SSH_CONFIG'. The name of the certificate as well as '$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.

...

Code Block
languagebash
Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

...

.pub

...

Code Block
languagebash
@cert-authority *.netdef.org `yubikeyX.pub`