Versions Compared

Old Version 3

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 4

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleHostCertificate
linenumberstrue
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

...

Add the following lines to the file /etc/ssh/sshd_config to tell the SSH daemon about the public key to verifiy client certificates. In addition copy the public key to the specified location. The host trusts all certifactes the are signed by our CA.

true
Code Block
linenumbers
### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikeyX.pub

...

Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to /etc/ssh/sshd_config

true
Code Block
linenumbers
### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

Then we need to populate the principals file:

true
Code Block
linenumbers
mkdir /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root

...