You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Abstract

There are two different things needed to setup the certificate authentification.

  • user certificates: There are N user certifiactes, one for each public key provided for signing.

    helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

  • host certificate public key: There is one public key to authenticate servers.

    yubikeyX.pub

Tell the SSH daemon about the certificate.

There are two different options to tell the ssh daemon about the certificate: global or user based.

  • global: The certificate is valid for each user on the client.
  • user based: The certificate is valid for one specific user on the client.

To work correctly there are two things that need to be done:

  • provide the certificate such that the client can authenticate its-self on the server side. To do so, the ssh daemon needs to know where the certificate is stored and that it is need to login to *.netdef.org
  • provide the public host key such that the client can authenticate the host's certificate. This is done by adding a new entry in the known_hosts file.

The certificates can be installed for a single user or for all users in a machine.

user based configuration paths

SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

global configuration paths

SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

Step 1 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder $SSH_CERTIFICATES.

mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step 2 - edit the config file

Add the following lines to $SSH_CONFIG. The name of the certificate as well as $SSH_CERTIFICATES must be replaced with the correct file name and the correct path to the folder respectively.


Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

Add the following line to $SSH_KNOWNHOSTS where yubikeyX.pub must be replaced with the public key stored in yubikeyX.pub.

@cert-authority *.netdef.org `yubikeyX.pub`














  • No labels