| Table of Contents |
|---|
1 - Abstract
There As there are two different things needed to setup the certificate authentification.
user certificates: There are N user certifiactes, one for each public key provided for signing.
| Code Block | ||
|---|---|---|
| ||
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub |
types of certificates, there are two individual tasks to setup a client.
- Host Certificate
- Client Certificate
If one would like to use only one certificate, execute the corresponding subtask.
Configuration paths
host certificate public key: There is one public key to authenticate servers.
| Code Block | ||
|---|---|---|
| ||
yubikeyX.pub |
...
There are two different options to tell the ssh daemon about the certificate: global or 'user based.' (recommended) or 'global'
'user based'global: The certificate is valid for each user on the client.user based: The certificate is valid for one specific user on the client.
To work correctly there are two things that need to be done:
- provide the certificate such that the client can authenticate its-self on the server side. To do so, the ssh daemon needs to know where the certificate is stored and that it is need to login to *.netdef.org
- provide the public host key such that the client can authenticate the host's certificate. This is done by adding a new entry in the known_hosts file.
The certificates can be installed for a single user or for all users in a machine.
user based configuration paths
Code Block language bash SSH_CERTIFICATES=$HOME/.ssh/netdef SSH_CONFIG=$HOME/.ssh/config SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts
...
'global': The certificate is valid for each user on the client.Code Block language bash SSH_CERTIFICATES=/etc/ssh/netdef SSH_CONFIG=/etc/ssh/ssh_config SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts
...
2 - Client Certificate
Step 1 - Sign client's public key
The instructions how to singed a clients public key can be found here.
The CA provides a zip file where all signed keys are stored.
| Code Block | ||
|---|---|---|
| ||
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub |
Step 2 - Copy all certificates to netdef folder
Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.
| Code Block | ||
|---|---|---|
| ||
mkdir -p $SSH_CERTIFICATES cp *cert.pub $SSH_CERTIFICATES |
Step
...
3 -
...
Edit the config file
Add the following lines to '$SSH_CONFIG''$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.
| Code Block | ||
|---|---|---|
| ||
Host *.netdef.org
CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub
...
CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub |
Step 3 - edit known hosts file.
...
.pub |
...
| Code Block | ||
|---|---|---|
| ||
@cert-authority *.netdef.org `yubikeyX.pub` |