...
The output of 'generate_host_certificate.sh''HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/.signed_keys'
5 - Sign server's RSA key manually
| Code Block | ||
|---|---|---|
| ||
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D $PATH_TO_YKCS11
-s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
-I server_name \
-h \
-n server.netdef.org \
-V +52w \
/etc/ssh-ca/ssh_host_rsa_key.pub |
...
- -D
- is used to access the yubikey
- -s
- provides the public certificate to access the yubikey
- -I server_name
- The key identifier to include in the certificate.
- -h
- Generate a host certificate (instead of a user certificate)
- -n server.netdef.org
- The principal names to include in the certificate.
- For host certificates this is a list of all names that the system is known by.
- Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
- -V +52w
- The validity period.
- For host certificates, you’ll probably want them pretty long lived.
- This setting sets the validity period from now until 52 weeks hence.
- /etc/ssh-ca/ssh_host_rsa_key.pub
- The path to the host RSA public key to sign.
- Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.
6 - Sign client's RSA key manually
| Code Block | ||
|---|---|---|
| ||
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D $PATH_TO_YKCS11
-s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
-I client_name \
-n root \
-V +24h \
/etc/ssh_ca/id_rsa.pub |
...