Versions Compared

Old Version 3

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version Current

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Abstract

To enable certificate based login on a host, the public rsa key ssh_host_rsa_key.pub needs to be signed. The resulting certificate is called ssh_host_rsa_key-cert.pub. To enable ssh based login two things are required on the host:

  • host certificate: ssh_host_rsa_key-cert.pub
  • CA public key: yubikeyX.pub

Step 1 - Host Certifiacte

To tell the SSH daemon about the certificate add the following configuration lines to the file /etc/ssh/sshd_config. In addition copy the certificate to the specified location. The host sends this certificate to the client to identify itsself as a trusted host.

Code Block
languagebash
titleHostCertificate
linenumberstrue
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

...

1 - Abstract

As there are two different types of certificates, there are two individual tasks to setup a host.

  • Host Certificate
  • Client Certificate

Here at NetDEF we only use Client Certificates.

2 - Client Certificate

To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

Step 1 - Verify client certificates

Add the following lines to the file '/etc/ssh/sshd_config' to tell the SSH daemon about the public key to verifiy verify client certificates. In addition copy the public key to the specified location. The host trusts all certifactes certificates the are signed by our CA.

Code Block
linenumberslanguagetruebash
### User CA certificate
TrustedUserCAKeys /etc/ssh/yubikey1.pub
TrustedUserCAKeys /etc/ssh/yubikey2.pub
TrustedUserCAKeys /etc/ssh/yubikeyXyubikey3.pub

...


Note

Copy the public keys to the specified location.

Step 2 - Principals

Now, Next we 'll configure one of our the hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'

Code Block
linenumberslanguagetruebash
### Auth Principals
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

Then we need to populate the principals file:. For each user we need to create a file.

Code Block
linenumberslanguagetruebash
mkdir -p /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root

This allows to all users to loggin login as root that have either host.netdef.org or root-everywhere specified in the list of principals within their certificate.

You can control access to any other local user by creating the coresponding corresponding files under '/etc/ssh/auth_principals'.

Step

...

3 - Restart

...

the SSH daemon