...
| Code Block |
|---|
| language | bash |
|---|
| title | HostCertificate |
|---|
| linenumbers | true |
|---|
|
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub |
Step 2 - Trust User CA Certificate
Add the following lines to the file /etc/ssh/sshd_config to tell the SSH daemon about the public key to verifiy client certificates. In addition copy the public key to the specified location. The host trusts all certifactes the are signed by our CA.
| Code Block |
|---|
|
### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikeyX.pub |
Step 3 - Principals
Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to /etc/ssh/sshd_config
| Code Block |
|---|
|
### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u |
Then we need to populate the principals file:
| Code Block |
|---|
mkdir /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root |
