You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

1 Abstract

As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.

Configuration paths

There are two different options to tell the ssh daemon about the certificate: 'user based' (recommended)  or 'global'

  • 'user based': The certificate is valid for one specific user on the client.

    SSH_CERTIFICATES=$HOME/.ssh/netdef
    SSH_CONFIG=$HOME/.ssh/config
    SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts
  • 'global': The certificate is valid for each user on the client.

    SSH_CERTIFICATES=/etc/ssh/netdef
    SSH_CONFIG=/etc/ssh/ssh_config
    SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

2 Host certificate

To setup the host certificate the public key of the CA authority is needed. There are three public keys called  'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.

Add the following line to '$SSH_KNOWNHOSTS' where 'yubikeyX.pub' must be replaced with the public key stored in 'yubikeyX.pub'.

@cert-authority *.netdef.org `yubikey1.pub`
@cert-authority *.netdef.org `yubikey2.pub`
@cert-authority *.netdef.org `yubikey3.pub`

3 Client Certificate

Step 1 - Sign client's public key

One can either use the public key file that is stored on github or one can manually copy the id_rsa.pub file to the CA authority.

The instructions how to singed a clients public key can be found here.

The CA provides a zip file where all signed keys are stored.

helloworld-1234567890-1-cert.pub
helloworld-1234567890-2-cert.pub
...
helloworld-1234567890-N-cert.pub

Step 2 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.

mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step 3 - edit the config file

Add the following lines to '$SSH_CONFIG'. The name of the certificate as well as '$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.

Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

















  • No labels