Versions Compared

Old Version 6

changes.mady.by.user user-22c13

Saved on

compared with

New Version Current

changes.mady.by.user user-22c13

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1 - Abstract

There As there are two different things needed to setup the certificate authentification.

user certificates: There are N user certifiactes, one for each public key provided for signing.

Code Block
languagebash
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

types of certificates, there are two individual tasks to setup a client.

  • Host Certificate
  • Client Certificate

If one would like to use only one certificate, execute the corresponding subtask.

Configuration paths

host certificate public key: There is one public key to authenticate servers.

Code Block
languagebash
yubikeyX.pub

...

There are two different options to tell the ssh daemon about the certificate: global or 'user based.' (recommended)  or 'global'

  • 'user based'

  • global: The certificate is valid for each user on the client.
  • user based

    : The certificate is valid for one specific user on the client.

To work correctly there are two things that need to be done:

  • provide the certificate such that the client can authenticate its-self on the server side. To do so, the ssh daemon needs to know where the certificate is stored and that it is need to login to *.netdef.org
  • provide the public host key such that the client can authenticate the host's certificate. This is done by adding a new entry in the known_hosts file.

The certificates can be installed for a single user or for all users in a machine.

user based configuration paths

  • Code Block
    languagebash
    SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

...


  • 'global': The certificate is valid for each user on the client.

    Code Block
    languagebash
    SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

...


2 - Client Certificate

Step 1 - Sign client's public key

The instructions how to singed a clients public key can be found here.

The CA provides a zip file where all signed keys are stored.

Code Block
languagebash
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

Step 2 - Copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.

Code Block
languagebash
mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step

...

3 -

...

Edit the config file

Add the following lines to '$SSH_CONFIG'. The name of the certificate as well as '$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.

Code Block
languagebash
Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

...

.pub

...

Code Block
languagebash
@cert-authority *.netdef.org `yubikeyX.pub`