...
As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. host.
- Host Certificate
- Client Certificate
If one would like to use only one certificate, execute the corresponding tasksubtask.
2 - Host Certificate
...
Step 1 - Sign host's public key
To enable certificate based login on a host, its public rsa RSA key needs to be singed by the CA certificate authority. To do so copy the public rsa RSA key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'. The instructions how to singed a hosts public key can be found here.
Step 2
...
- Tell the SSH daemon about the certificate
To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host
...
| Note |
|---|
| Copy the certificate to the specified location! |
...
Step 3 - Restart the SSH daemon
3 - Client Certificate
To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called 'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.
...
Step 1 - Verify client certificates
Add the following lines to the file '/etc/ssh/sshd_config'
...
| Note |
|---|
Copy the public keys to the specified location. |
...
Step 2 - Principals
Next we configure the hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'
...
You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.
Step 3
...