Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Host Certificate
  • Client Certificate

If one would like to use only one certificate, execute the corresponding subtask.

2 - Host Certificate

Step 1 - Sign host's public key

To enable certificate based login on a host, its public RSA key needs to be singed by the certificate authority. To do so copy the public RSA key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'. The instructions how to singed a hosts public key can be found here.

Step 2 - Tell the SSH daemon about the certificate

To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host

Code Block
languagebash
### Host certificate
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Note
Copy the certificate to the specified location!

Step 3 - Restart the SSH daemon

...

Here at NetDEF we only use Client Certificates.

2 - Client Certificate

To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

...

You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.

Step 3 - Restart the SSH daemon