Abstract
To enable certificate based login on a host, the public rsa key ssh_host_rsa_key.pub needs to be signed. The resulting certificate is called ssh_host_rsa_key-cert.pub. To enable ssh based login two things are required on the host:
- host certificate:
ssh_host_rsa_key-cert.pub - CA public key:
yubikeyX.pub
Step 1 - Host Certifiacte
To tell the SSH daemon about the certificate add the following configuration lines to the file /etc/ssh/sshd_config. In addition copy the certificate to the specified location. The host sends this certificate to the client to identify itsself as a trusted host.
HostCertificate
### Host certificate HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub