Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1 - Abstract

As there are two different types of certificates, there are two individual tasks in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.

2 Host Certificate

2.1 Sign host's public key

To enable certificate based login on a host, its public rsa key needs to be singed by the CA authority. TO do so copy the public rsa key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'.

2.1 Tell the SSH daemon about the certificate

To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host.

Note

Copy the certificate to the specified location.

Code Block
languagebash
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Client Certificate

host.

  • Host Certificate
  • Client Certificate

Here at NetDEF we only use Client Certificates.

2 - Client Certificate

To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

Step 1 - Verify client certificates

Add the following lines to the file '/etc/ssh/sshd_config' to tell the SSH daemon about the public key to verify client certificates. In addition copy the public key to the specified location. The host trusts all certificates the are signed by our CA.

Code Block
languagebash
### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikeyX.pub

Step 3 - Principals

yubikey1.pub
TrustedUserCAKeys /etc/ssh/yubikey2.pub
TrustedUserCAKeys /etc/ssh/yubikey3.pub


Note

Copy the public keys to the specified location.

Step 2 - Principals

Next we configure the Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'

...

Then we need to populate the principals file:. For each user we need to create a file.

Code Block
languagebash
mkdir -p /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root

...

You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.

Step

...

3 - Restart

...

the SSH daemon