Re: SSH resources, specifically on certificates (certificate authentication)

Wed, 13 Jul 2022 17:04:05 -0700 

On Jul 13, 2022, David Wright wrote:
> On Wed 13 Jul 2022 at 18:40:18 (-0400), Dan Purgert wrote:
> > On Jul 13, 2022, rhkra...@gmail.com wrote:
> > > I seem to have gone down a rabbit hole.
> > > 
> > > I want(ed?) to set up ssh on my LAN using certificate authentication, and 
> > > am 
> > > having a lot of trouble finding the information I need / would like to 
> > > have.
> > 
> > Which is what, exactly?  Other than the "active mailing list" you
> > mentioned in a snipped segment.
> > 
> > SSH with cert-auth is pretty trivial to implement on most distros:
> > 
> > 1. install openssh-server (if not already installed) on SERVER (the
> > machine you will connect to)
> > 2. on the CLIENT (machine you will connect from), run ssh-keygen to
> > generate a new ssh keypair.  For example --  ssh-keygen -t ed25519 -f
> > keyfile -- will generate a new ED25519-based keypair ("keyfile" and
> > "keyfile.pub").
> > 3. copy the content of keyfile.pub to $HOME/.ssh/authorized_keys on the
> > SERVER machine
> > 4. try logging into SERVER with your key (e.g. ssh -i keyfile
> > user@SERVER) 
> > 
> > For "best security" repeat steps 2-4 on all CLIENT machines to create
> > individual client keys -- just make sure to APPEND to authorized_keys.
> 
> That's what I do, but that's /key/ authentication, not cert.
> (Search for "certificate" in   man ssh-keygen   to see what's
> involved with certificates.) I'm afraid I'm not up to speed
> on that topic.

*sigh* indeed, I crossed my thinking. :(

Should be basically the same -- at least the manpages for ssh and
ssh-keygen cover it pretty well...

 ssh-keygen -s /path/to/ca -I keyid /peth/to/user_public

sshd apparently needs a "cert-authority" parameter set at start-time, so
that it knows the signing CA for the certs, and then you (apparently)
configure authorized_keys in the same manner.  

I've never seen this implemented in any place I've worked in
the last 2 decades (granted, I "only" have said 2 decades of
"professional" experience); rather they've always used either (a) keys,
or (b) password + RSA Token (or other 2FA / TOTP mechanism)

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

Attachment: signature.asc
Description: PGP signature

Reply via email to