Secure Shell
help about "certificates" function of openssh 5.4 Apr 28 2010 02:39AM
yang wang (gooddaydiablo gmail com) (1 replies)
Re: help about "certificates" function of openssh 5.4 Apr 29 2010 09:14AM
Hans Harder (postbus111 gmail com)
> 3) # ssh -i /root/.ssh/id_rsa-cert.pub localhost

This is wrong -i should be given the private key, so:
# ssh -i /root/.ssh/id_rsa localhost

now it will find the -cert.pub automatically and use this without
asking for a passphrase

Also before you use certificates operational, you should disable the
normal publickeys in authorized_keys by setting the AuthorizedKeysFile
to /dev/null in the sshd_config
See : https://bugzilla.mindrot.org/show_bug.cgi?id=1764

Hans

certificate setup example:

CA user:
1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate

Server(s):
2) make sure your sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys /etc/ssh/trusted_cakeys # or whatever name or
location you like

3) edit /etc/ssh/trusted_cakeys and add the contents of ca_rsa.pub in it

4) Disable in sshd_config AuthorizedKeysFile and point it to /dev/null
to prevent normal public keys to work. (preferrable in match
user/group section of sshd_config)

CA user:
4) for a user generate a certificate of its public key with some limitations
ssh-keygen -s ca_rsa -I keyid -n jimmy --V +2w1d id_rsa.pub
This will generate an id_rsa-cert.pub certificate file which is valid
for 15 days

Jimmy:
5) put his id_rsa-cert.pub in its ~/.ssh directory
ssh jimmy@server # connect to server using the certificate

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus