As there are two different types of certificates, there are two individual tasks to setup a host.
Here at NetDEF we only use Client Certificates.
To setup the client certificate, the public key of the certificate authority is needed. There are three public keys called 'yubikey1.pub'
, 'yubikey2.pub'
and 'yubikey3.pub'
.
Add the following lines to the file
to tell the SSH daemon about the public key to verify client certificates. The host trusts all certificates the are signed by our CA.'
/etc/ssh/sshd_config'
### User CA certificate TrustedUserCAKeys /etc/ssh/yubikey1.pub TrustedUserCAKeys /etc/ssh/yubikey2.pub TrustedUserCAKeys /etc/ssh/yubikey3.pub |
Copy the public keys to the specified location. |
Next we configure the hosts to accept only certain principals. To do so, add this line to '
/etc/ssh/sshd_config'
### Auth Principals AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u |
Then we need to populate the principals file. For each user we need to create a file.
mkdir -p /etc/ssh/auth_principals echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root |
This allows to all users to login as root that have either host.netdef.org
or root-everywhere
specified in the list of principals within their certificate.
You can control access to any other local user by creating the corresponding files under '
/etc/ssh/auth_principals
'
.