...
As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. client.
- Host Certificate
- Client Certificate
If one would like to use only one certificate, execute the corresponding tasksubtask.
Configuration paths
There are two different options to tell the ssh daemon about the certificate: 'user based'
(recommended) or 'global'
'user based'
: The certificate is valid for one specific user on the client.Code Block language bash SSH_CERTIFICATES=$HOME/.ssh/netdef SSH_CONFIG=$HOME/.ssh/config SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts
'global
': The certificate is valid for each user on the client.Code Block language bash SSH_CERTIFICATES=/etc/ssh/netdef SSH_CONFIG=/etc/ssh/ssh_config SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts
2
...
Step 1 - setup cert-authority
To setup the host certificate the public key of the CA authority is needed. There are three public keys called 'yubikey1.pub'
, 'yubikey2.pub'
and 'yubikey3.pub'
.
Add the following line to '
$SSH_KNOWNHOSTS'
where 'yubikeyX.pub'
must be replaced with the public key stored in 'yubikeyX.pub'
.
...
language | bash |
---|
...
-
...
Client Certificate
Step 1 - Sign client's public key
...
Code Block | ||
---|---|---|
| ||
helloworld-1234567890-1-cert.pub helloworld-1234567890-2-cert.pub ... helloworld-1234567890-N-cert.pub |
Step 2 -
...
Copy all certificates to netdef folder
Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES
'
.
Code Block | ||
---|---|---|
| ||
mkdir -p $SSH_CERTIFICATES cp *cert.pub $SSH_CERTIFICATES |
Step 3 -
...
Edit the config file
Add the following lines to
. The name of the certificate as well as '
$SSH_CONFIG'
'
$SSH_CERTIFICATES'
must be replaced with the correct file name and the correct path to the folder respectively.
...