You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Abstract

There are two different things needed to setup the certificate authentification.

  • user certificates: There are N user certifiactes, one for each public key provided for signing.

    helloworld-1234567890-1-cert.pub
    helloworld-1234567890-2-cert.pub
    ...
    helloworld-1234567890-N-cert.pub
  • host certificate public key: There is one public key to authenticate servers.

    yubikeyX.pub

Configuration paths

There are two different options to tell the ssh daemon about the certificate: 'user based' or 'global'

  • 'user based': The certificate is valid for one specific user on the client.
  • 'global': The certificate is valid for each user on the client.

user based

SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

global configuration paths

SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

Step 1 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder $SSH_CERTIFICATES.

mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step 2 - edit the config file

Add the following lines to $SSH_CONFIG. The name of the certificate as well as $SSH_CERTIFICATES must be replaced with the correct file name and the correct path to the folder respectively.


Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

Add the following line to $SSH_KNOWNHOSTS where yubikeyX.pub must be replaced with the public key stored in yubikeyX.pub.

@cert-authority *.netdef.org `yubikeyX.pub`














  • No labels