...
As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.
...
To enable certificate based login on a host, its public rsa key needs to be singed by the CA authority. TO do so copy the public rsa key 'ssh_host_rsa_key.pub' to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub'. The instructions how to singed a hosts public key can be found here.
2.1 Tell the SSH daemon about the certificate
To tell the SSH daemon about the certificate add the following configuration lines to the file '/etc/ssh/sshd_config'. The host sends this certificate to the client to identify itself as a trusted host.
...
| Code Block | ||
|---|---|---|
| ||
### Host certificate HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub |
| Note |
|---|
| Move the certificate to the specified location! |
2.3 Restart the SSH daemon
3 Client Certificate
To setup the client certificate, the public key of the certificate authority is needed. The file is called 'yubikeyX.pub' depending on the CA server.
3.1 Verify client certificates
Add the following lines to the file '/etc/ssh/sshd_config'
| Code Block | ||
|---|---|---|
| ||
### User CA certificate TrustedUserCAKeys /etc/ssh/yubikeyX.pub |
Step 3 - Principals
| Note |
|---|
Copy the public key to the specified location. |
3.2 Principals
Next we configure the Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '/etc/ssh/sshd_config'
...
Then we need to populate the principals file:file. For each user we need to create a file.
| Code Block | ||
|---|---|---|
| ||
mkdir -p /etc/ssh/auth_principals
echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root |
...
You can control access to any other local user by creating the corresponding files under '/etc/ssh/auth_principals'.
Step 4 - Restart SSH
...