Versions Compared

Old Version 11

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 12

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1 - Abstract

As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.

Configuration paths

There are two different options to tell the ssh daemon about the certificate: 'user based' (recommended)  or 'global'

  • 'user based': The certificate is valid for one specific user on the client.

    Code Block
    languagebash
    SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts


  • 'global': The certificate is valid for each user on the client.

    Code Block
    languagebash
    SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts


2 - Host certificate

To setup the host certificate the public key of the CA authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

...

Code Block
languagebash
@cert-authority *.netdef.org `yubikey1.pub`
@cert-authority *.netdef.org `yubikey2.pub`
@cert-authority *.netdef.org `yubikey3.pub`

3 - Client Certificate

Step 1 - Sign client's public key

...

The instructions how to singed a clients public key can be found here.

...