Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Do you know about certificates for openssh?

You create a ca for hostkeys and another for clientkeys.

Then you create a certificate for all of your hostkey-publickeys with
your host-ca.
Publish this certificates to all of your hosts and change the
configuration of sshd to use this certificates also.

Publish the public-key of your user-ca to all hosts.


Publish the pubkey for Host-ca to all your clients.

Then create certificates with user-ca for all of all users Pubkeys. Add
prinzipals (one or more) to this user-certs. Give it to the users.

Change ssh_config to accept only hosts with valid host-certs.

Create mapping-files. Each pam-user gets its own file, where the
principals are listed (one per line), which are allowed to login as this
user.

You dont need to accept a changed hostkey anymore. You can regulate with
principalfile, which user can login as which user. You can also use a
script instead of this files, so ldap or other mechanisms are possible
too via script.

Certs can have a serialnumber and a validydate.. You can revoke by
pubkey the whole user, or revoke by serialnumer.

This is a first entypoint:
https://chandanduttachowdhury.wordpress.com/2014/12/31/certificate-based-ssh-user-authentication/

Many howtos talk about pubkeys instead of certificates, when you search
on you searchengine. Be careful of your searches. Certificates are using
pubkeys, they are not pubkeys!!

Regards

Jakob

-- 
lore ipsum

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux