Abstract
There are two different things needed to setup the certificate authentification.
user certificates: There are N user certifiactes, one for each public key provided for signing.
helloworld-1234567890-1-cert.pub helloworld-1234567890-2-cert.pub ... helloworld-1234567890-N-cert.pub
host certificate public key: There is one public key to authenticate servers.
yubikeyX.pub
Configuration paths
There are two different options to tell the ssh daemon about the certificate: 'user based'
(recommended) or 'global'
'user based'
: The certificate is valid for one specific user on the client.'global
': The certificate is valid for each user on the client.
user based
SSH_CERTIFICATES=$HOME/.ssh/netdef SSH_CONFIG=$HOME/.ssh/config SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts
global
SSH_CERTIFICATES=/etc/ssh/netdef SSH_CONFIG=/etc/ssh/ssh_config SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts
Step 1 - copy all certificates to netdef folder
Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES
'
.
mkdir -p $SSH_CERTIFICATES cp *cert.pub $SSH_CERTIFICATES
Step 2 - edit the config file
Add the following lines to
. The name of the certificate as well as '
$SSH_CONFIG'
'
$SSH_CERTIFICATES'
must be replaced with the correct file name and the correct path to the folder respectively.
Host *.netdef.org CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub ... CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub
Step 3 - edit known hosts file.
Add the following line to '
$SSH_KNOWNHOSTS
where '
must be replaced with the public key stored in '
yubikeyX.pub'
'yubikeyX.pub'
.
@cert-authority *.netdef.org `yubikeyX.pub`