To use signed keys and TrustedUserCAKeys
# As root
mkdir /etc/ssh/ca
# You could use "openssl req ..." to create an x509 key pair
# or use ssh-keygen.
# Here I am using ssh-keygen (and will password protect the private key)
# As root
ssh-keygen -t rsa -f /etc/ssh/ca/sshCAkey -C "SSH CA Key"
# Optionally enter password. Suggested that you do.
# Now create the file to be used for the TrustedUserCAKeys option
# in /etc/ssh/sshd_config by writing the contents of /etc/ssh/ca/sshCAkey.pub
# into the file.
# As root
cat /etc/ssh/ca/sshCAkey.pub >> /etc/ssh/ca/CAKeyFile
# Now you want to sign a user's key.
# As root
ssh-keygen -s /etc/ssh/ca/sshCAkey \
-I key_id \
-n bschuck \
~user/.ssh/id_rsa.pub
Enter passphrase:
Signed user key /home/user/.ssh/id_rsa-cert.pub: id "key_id" serial 0 for user valid forever
# You can optionally use the -z to set a serial number and
# the -V option to set a validity time.
# See man ssh-keygen(1) some of the options may be different for BSD,
# OSX, and Centos/RHEL v Ubuntu/Debian
# -n principals
# -z serial number
# Change ownership and perms
chown user:user /home/user/.ssh/id_rsa-cert.pub
chmod 600 /home/user/.ssh/id_rsa-cert.pub
# Modify your /etc/ssh/sshd_config file.
# Add the line
TrustedUserCAKeys /etc/ssh/ca/CAKeyFile
# Optionally to allow only users with signed keys to use ssh to log in
# Change AuthorizedKeysFile to none
# and change PasswordAuthentication to no
# If an older system needs to connect to a newer system, the
# openssh configuration on the newer system requires this
# in its sshd_config (or create /etc/ssh/sshd_config.d/kex.conf)
# Needed for connections from CentOS 5.x systems
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,sntrup4591761x25519-sha512@tinyssh.org
No comments:
Post a Comment