Re: help about "certificates" function of openssh 5.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 3) # ssh -i /root/.ssh/id_rsa-cert.pub localhost

This is wrong -i should be given the private key, so:
# ssh -i /root/.ssh/id_rsa localhost

now it will find the -cert.pub automatically and use this without
asking for a passphrase

Also before you use certificates operational, you should disable the
normal publickeys in authorized_keys by setting the AuthorizedKeysFile
to /dev/null in the sshd_config
See : https://bugzilla.mindrot.org/show_bug.cgi?id=1764

Hans


certificate setup example:

CA user:
1) ssh-keygen -f ca_rsa   # generate a ssh keypair for use as a certificate

Server(s):
2) make sure your sshd_config has TrustedUserCAKeys assigned
TrustedUserCAKeys  /etc/ssh/trusted_cakeys       # or whatever name or
location you like

3) edit /etc/ssh/trusted_cakeys and add the contents of ca_rsa.pub in it

4) Disable in sshd_config AuthorizedKeysFile and point it to /dev/null
to prevent normal public keys to work. (preferrable in match
user/group section of sshd_config)

CA user:
4) for a user generate a certificate of its public key with some limitations
ssh-keygen -s ca_rsa -I keyid -n jimmy --V +2w1d  id_rsa.pub
This will generate an id_rsa-cert.pub certificate file which is valid
for 15 days

Jimmy:
5) put his id_rsa-cert.pub in its ~/.ssh directory
ssh jimmy@server        # connect to server using the certificate

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux