Abstract

There are two different things needed to setup the certificate authentification.

• user certificates: There are N user certifiactes, one for each public key provided for signing.

  helloworld-1234567890-1-cert.pub
  helloworld-1234567890-2-cert.pub
  ...
  helloworld-1234567890-N-cert.pub

• host certificate public key: There is one public key to authenticate servers.

  yubikeyX.pub

Configuration paths

There are two different options to tell the ssh daemon about the certificate: 'user based' (recommended)  or 'global'


• 'user based': The certificate is valid for one specific user on the client.
• 'global': The certificate is valid for each user on the client.

user based

SSH_CERTIFICATES=$HOME/.ssh/netdef
SSH_CONFIG=$HOME/.ssh/config
SSH_KNOWNHOSTS=$HOME/.ssh/known_hosts

global configuration paths

SSH_CERTIFICATES=/etc/ssh/netdef
SSH_CONFIG=/etc/ssh/ssh_config
SSH_KNOWNHOSTS=/etc/ssh/ssh_known_hosts

Step 1 - copy all certificates to netdef folder

Copy all certificates that can be found in the provided tar file to the folder $SSH_CERTIFICATES.

mkdir -p $SSH_CERTIFICATES
cp *cert.pub $SSH_CERTIFICATES

Step 2 - edit the config file

Add the following lines to $SSH_CONFIG. The name of the certificate as well as $SSH_CERTIFICATES must be replaced with the correct file name and the correct path to the folder respectively.

Host *.netdef.org
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-1-cert.pub
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-2-cert.pub 
	... 
	CertificateFile `$SSH_CERTIFICATES`/helloworld-1234567890-N-cert.pub

Step 3 - edit known hosts file.

Add the following line to $SSH_KNOWNHOSTS where yubikeyX.pub must be replaced with the public key stored in yubikeyX.pub.

@cert-authority *.netdef.org `yubikeyX.pub`