As there are two different types of certificates, there are two individual tasks as well in order to setup a hosts. If one would like to use only one certificate, execute the corresponding task.
There are two different options to tell the ssh daemon about the certificate: 'user based' (recommended) or 'global'
'user based': The certificate is valid for one specific user on the client.
SSH_CERTIFICATES=$HOME/.ssh/netdef SSH_CONFIG=$HOME/.ssh/config SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts |
'global': The certificate is valid for each user on the client.
SSH_CERTIFICATES=/etc/ssh/netdef SSH_CONFIG=/etc/ssh/ssh_config SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts |
To setup the host certificate the public key of the CA authority is needed. There are three public keys called 'yubikey1.pub', 'yubikey2.pub' and 'yubikey3.pub'.
Add the following line to '$SSH_KNOWNHOSTS' where 'yubikeyX.pub' must be replaced with the public key stored in 'yubikeyX.pub'.
@cert-authority *.netdef.org `yubikey1.pub` @cert-authority *.netdef.org `yubikey2.pub` @cert-authority *.netdef.org `yubikey3.pub` |
The instructions how to singed a clients public key can be found here.
The CA provides a zip file where all signed keys are stored.
helloworld-1234567890-1-cert.pub helloworld-1234567890-2-cert.pub ... helloworld-1234567890-N-cert.pub |
Copy all certificates that can be found in the provided tar file to the folder '$SSH_CERTIFICATES'.
mkdir -p $SSH_CERTIFICATES cp *cert.pub $SSH_CERTIFICATES |
Add the following lines to '$SSH_CONFIG''$SSH_CERTIFICATES' must be replaced with the correct file name and the correct path to the folder respectively.
Host *.netdef.org CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub ... CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub |