You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Abstract

There are two different things needed to setup the certificate authentification.

  • user certificates: There are N user certifiactes, one for each public key provided for signing.

    helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

  • host certificate public key: There is one public key to authenticate servers.

    yubikeyX.pub

Tell the SSH daemon about the certificate.

There are two different options to tell the ssh daemon about the certificate: global or user based.

  • global: The certificate is valid for each user on the client.
  • user based: The certificate is valid for one specific user on the client.

To work correctly there are two things that need to be done:

  • provide the certificate such that the client can authentificate itsself on the server side. To do so, the ssh daemon needs to knwo where the certificate is stroed and that it is need to login to *.netdef.org
  • provide the public host key such that the client can authenticate the host's certificate. This is done by adding a new entrie in the known_hosts file.

The certificates can be installed for a single user or for all users in a machine.

user based configuration paths

SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

global configuration paths

SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

Step 1 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder $SSH_CERTIFICATES.

mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step 2 - edit the config file

Add the following lines to $SSH_CONFIG. The name of the certificate as well as $SSH_CERTIFICATES must be replaced with the correct file name and the correct path to the folder respectively.


Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

Add the following line to $SSH_KNOWNHOSTS where yubikeyX.pub must be replaced with the public key stored in yubikeyX.pub.

@cert-authority *.netdef.org `yubikeyX.pub`














  • No labels