Abstract
As there are two different certificates, there are two individual tasks in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.
Host Certificate
To enable certificate based login on a host, its public rsa key needs to be singed by the CA authority. TO do so copy the public rsa key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'.
To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host.
Copy the certificate to the specified location.
### Host certificate HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Client Certificate
Add the following lines to the file '/etc/ssh/sshd_config'
### User CA certificate TrustedUserCAKeys /etc/ssh/yubikeyX.pub
Step 3 - Principals
Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'
### Auth Principals AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
Then we need to populate the principals file:
mkdir /etc/ssh/auth_principals echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root
This allows to all users to login as root that have either host.netdef.org or root-everywhere specified in the list of principals within their certificate.
You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.
Step 4 - Restart SSH
Restart SSH to apply all the changes!