Page tree
Skip to end of metadata
Go to start of metadata

1 - Abstract

As there are two different types of certificates, there are two individual tasks to setup a host.

  • Host Certificate
  • Client Certificate

If one would like to use only one certificate, execute the corresponding subtask.

2 - Host Certificate

Step 1 - Sign host's public key

To enable certificate based login on a host, its public RSA key needs to be singed by the certificate authority. To do so copy the public RSA key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'. The instructions how to singed a hosts public key can be found here.

Step 2 - Tell the SSH daemon about the certificate

To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host

### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Copy the certificate to the specified location!

Step 3 - Restart the SSH daemon

3 - Client Certificate

To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

Step 1 - Verify client certificates

Add the following lines to the file '/etc/ssh/sshd_config' to tell the SSH daemon about the public key to verify client certificates. The host trusts all certificates the are signed by our CA.

### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikey1.pub
TrustedUserCAKeys /etc/ssh/yubikey2.pub
TrustedUserCAKeys /etc/ssh/yubikey3.pub

Copy the public keys to the specified location.

Step 2 - Principals

Next we configure the hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'

### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

Then we need to populate the principals file. For each user we need to create a file.

mkdir -p /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root

This allows to all users to login as root that have either host.netdef.org or root-everywhere specified in the list of principals within their certificate.

You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.

Step 3 - Restart the SSH daemon


  • No labels