| Table of Contents |
|---|
1 - Abstract
As there are two different types of certificates, there are two individual tasks to setup a host.
- Host Certificate
- Client Certificate
Here at NetDEF we only use Client Certificates.
2 - Client Certificate
To setup the client certificateTo enable certificate based login on a host, the public rsa key 'ssh_host_rsa_key.pub''ssh_host_rsa_key-cert.pub'. To enable ssh based login two things are required on the host:
- host certificate:
'ssh_host_rsa_key-cert.pub' - CA public key:
'yubikeyX.pub'
Step 1 - Host Certifiacte
To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. In addition copy the certificate to the specified location. The host sends this certificate to the client to identify itsself as a trusted host.
| Code Block | ||
|---|---|---|
| ||
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub |
Step 2 - Trust User CA Certificate
key of the certificate authority is needed. There are three public keys called 'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.
Step 1 - Verify client certificates
Add the following lines to the file '/etc/ssh/sshd_config'
| Code Block | ||
|---|---|---|
| ||
### User CA certificate TrustedUserCAKeys /etc/ssh/yubikey1.pub TrustedUserCAKeys /etc/ssh/yubikeyX/yubikey2.pub TrustedUserCAKeys /etc/ssh/yubikey3.pub |
| Note |
|---|
...
Copy the public keys to the specified location. |
Step 2 - Principals
Now, Next we 'll configure one of our the hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'
...
Then we need to populate the principals file:file. For each user we need to create a file.
| Code Block | ||
|---|---|---|
| ||
mkdir -p /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root |
...
You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.
Step
...
3 - Restart
...