Secure Shell
help about "certificates" function of openssh 5.4 Apr 28 2010 02:39AM
yang wang (gooddaydiablo gmail com) (1 replies)
Re: help about "certificates" function of openssh 5.4 Apr 29 2010 09:14AM
Hans Harder (postbus111 gmail com)
> 3) # ssh -i /root/.ssh/ localhost

This is wrong -i should be given the private key, so:
# ssh -i /root/.ssh/id_rsa localhost

now it will find the automatically and use this without
asking for a passphrase

Also before you use certificates operational, you should disable the
normal publickeys in authorized_keys by setting the AuthorizedKeysFile
to /dev/null in the sshd_config
See :


certificate setup example:

CA user:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

2) make sure your sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/trusted_cakeys # or whatever name or
location you like

3) edit /etc/ssh/trusted_cakeys and add the contents of in it

4) Disable in sshd_config AuthorizedKeysFile and point it to /dev/null
to prevent normal public keys to work. (preferrable in match
user/group section of sshd_config)

CA user:
4) for a user generate a certificate of its public key with some limitations
ssh-keygen -s ca_rsa -I keyid -n jimmy --V +2w1d
This will generate an certificate file which is valid
for 15 days

5) put his in its ~/.ssh directory
ssh jimmy@server # connect to server using the certificate

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus