As there are two different certificates, there are two individual tasks in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.
To enable certificate based login on a host, its public rsa key needs to be singed by the CA authority. TO do so copy the public rsa key 'ssh_host_rsa_key.pub'
to the CA, signed it and copy the certificate back to the host. The resulting certificate is called 'ssh_host_rsa_key-cert.pub
'
.
To tell the SSH daemon about the certificate add the following configuration lines to the file '
/etc/ssh/sshd_config'
. The host sends this certificate to the client to identify itself as a trusted host.
Copy the certificate to the specified location. |
### Host certificate HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub |
Add the following lines to the file
to tell the SSH daemon about the public key to verify client certificates. In addition copy the public key to the specified location. The host trusts all certificates the are signed by our CA.'
/etc/ssh/sshd_config'
### User CA certificate TrustedUserCAKeys /etc/ssh/yubikeyX.pub |
Now, we'll configure one of our hosts to accept only certain principals. To do so, add this line to '
/etc/ssh/sshd_config'
### Auth Principals AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u |
Then we need to populate the principals file:
mkdir /etc/ssh/auth_principals echo -e 'host.netdef.org\nroot-everywhere' > /etc/ssh/auth_principals/root |
This allows to all users to login as root that have either host.netdef.org
or root-everywhere
specified in the list of principals within their certificate.
You can control access to any other local user by creating the corresponding files under '
/etc/ssh/auth_principals
'
.
Restart SSH to apply all the changes! |