community.riocities.com
  • Home
  • Categories
  • Tags
  • Archives

OpenSSH setup

Contents

  • Certificates with OpenSSH
    • Setup CA
    • Sign server .pub keys at the CA
    • Add CA certs to servers
    • Client Config
      • 1. System wide ssh client config
      • 2. Per user config

Certificates with OpenSSH¶

Howto setup and use certificates with OpenSSH for host keys.

Setup CA¶

Create the CA keypair

$ mkdir SSH-CA
$ cd !$
$ ssh-keygen -t rsa -b 4096 -C ca_key-example.com # name the output keyfile ca_key-example.com_rsa, and choose a very good pass-phrase :-)

Sign server .pub keys at the CA¶

Fetch the /etc/ssh/ssh_host_rsa_key.pub files from each server and rename them to <hostname>_rsa_key.pub to reflect the system name (e.g. sys1_rsa_key.pub)

Validate finger-print of server public key

$ ssh-keygen -l -f ./sys1_rsa_key.pub

Sign the server pub key with the ca_rsa key, limit the validity to the servers FQDN (-n flag).

$ ssh-keygen -s ca_key-example.com_rsa -I sys1 -n sys1.example.com -h sys1_rsa_key.pub

Output will be the certificate <hostname>_rsa_key-cert.pub (e.g. sys1_rsa_key-cert.pub)

Add CA certs to servers¶

Store the certificate in /etc/ssh/ on the corresponding server and add the following in /etc/ssh/sshd_config

# CA cert for host
HostCertificate /etc/ssh/<hostname>_rsa_key-cert.pub

Then reload the server config

$ sudo /etc/init.d/ssh reload

Client Config¶

Two options are available, depending if you are root on the client or not.

1. System wide ssh client config¶

Add public key of CA to /etc/ssh/ssh_known_hosts prepending '@cert-authority *'

Example

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3.......== ca_key-example.com

Make sure the ssh_known_hosts file is readable by all but only writable by root.

2. Per user config¶

Add public key of CA to /home/<user>/.ssh/known_hosts prepending '@cert-authority *'

Example

@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3a.......== ca_key-example.com

  • « XEN domU move
  • Computer HW »

Published

Sep 15, 2011

Author

henrik

Category

HOWTOs

Tags

  • OpenSSH 2

Social

  • atom feed
  • rss feed
  • ipv6 ready
  • Powered by Pelican. Theme: Elegant by Talha Mansoor