| Table of Contents |
|---|
1 - Abstract
As there are two different types of certificates, there are two individual tasks to setup a host.
- Host Certificate
- Client Certificate
Here at NetDEF we only use Client Certificates.
2 - Client Certificate
To setup the client certificateTo enable certificate based login on a host, the public rsa key ssh_host_rsa_key.pub needs to be signed. The resulting certificate is called ssh_host_rsa_key-cert.pub. To enable ssh based login two things are required on the host:
- host certificate:
ssh_host_rsa_key-cert.pub - CA public key:
yubikeyX.pub
Step 1 - Host Certifiacte
key of the certificate authority is needed. There are three public keys called 'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.
Step 1 - Verify client certificates
Add the following lines to the file '/etc/ssh/sshd_config. In addition copy the certificate '
| Code Block | ||
|---|---|---|
| ||
### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikey1.pub
TrustedUserCAKeys /etc/ssh/yubikey2.pub
TrustedUserCAKeys /etc/ssh/yubikey3.pub |
| Note |
|---|
Copy the public keys to the specified location. |
Step 2 - Principals
Next we configure the hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'
| Code Block | |||||||
|---|---|---|---|---|---|---|---|
| |||||||
### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u |
Then we need to populate the principals file. For each user we need to create a file.
| Code Block | ||
|---|---|---|
| ||
mkdir -p /etc/ssh/auth_principals echo -e 'host.netdef.org\nroot-everywhere' >### Host certificate HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pubauth_principals/root |
This allows to all users to login as root that have either host.netdef.org or root-everywhere specified in the list of principals within their certificate.
You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.