Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1 - Abstract

There As there are two different things needed to setup the certificate authentification.

user certificates: There are N user certifiactes, one for each public key provided for signing.

Code Block
languagebash
helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

host certificate public key: There is one public key to authenticate servers.

Code Block
languagebash
yubikeyX.pub

Tell the SSH daemon about the certificate.

types of certificates, there are two individual tasks to setup a client.

  • Host Certificate
  • Client Certificate

If one would like to use only one certificate, execute the corresponding subtask.

Configuration paths

There are two different options to tell the ssh daemon about the certificate: global or 'user based.' (recommended)  or 'global'

  • 'user based'

  • global: The certificate is valid for each user on the client.
  • user based

    : The certificate is valid for one specific user on

    the client.

To work correctly there are two things that need to be done:

  • provide

    the

    certificate such that the

    client

    can authentificate itsself on the server side. To do so, the ssh daemon needs to knwo where the certificate is stroed and that it is need to login to *

    .

    netdef.org

  • provide the public host key such that the client can authenticate the host's certificate. This is done by adding a new entrie in the known_hosts file.

The certificates can be installed for a single user or for all users in a machine.

user based configuration paths

  • Code Block
    languagebash
    SSH_CERTIFICATES=$HOME/.ssh/netdef
    SSH_CONFIG=$HOME/.ssh/config
    SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

...


  • 'global': The certificate is valid for each user on the client.

    Code Block
    languagebash
    SSH_CERTIFICATES=/etc/ssh/netdef
    SSH_CONFIG=/etc/ssh/ssh_config
    SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts


2 - Client Certificate

Step 1 - Sign client's public key

The instructions how to singed a clients public key can be found here.

The CA provides a zip file where all signed keys are stored.

Code Block
languagebash
helloworld-1234567890-1

...

-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

Step 2 - Copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.

Code Block
languagebash
mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step

...

3 -

...

Edit the config file

Add the following lines to '$SSH_CONFIG'. The name of the certificate as well as '$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.

Code Block
languagebash
Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

...

.pub

...

Code Block
languagebash
@cert-authority *.netdef.org `yubikeyX.pub`