commit 0c22bfede59ae0a5080a55287627303a960c42be parent 41593ad0a59ec4db5aae084494d09249b88e8491 Author: pyratebeard <root@pyratebeard.net> Date: Wed, 13 Dec 2023 21:20:51 +0000 respect_my_authoritah Diffstat:
| M | entry/respect_my_authoritah.md | | | 69 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- |
1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/entry/respect_my_authoritah.md b/entry/respect_my_authoritah.md @@ -6,7 +6,7 @@ * userca server * add cert to pgp key -* create ca keys +* create host ca keys ``` ssh-keygen -t ed25519 -C hostca@pyratebeard.net -f hostca-key cat hostca-key.pub @@ -66,6 +66,73 @@ HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub * reload ssh daemon +## client +* create client ca key +``` +ssh-keygen -t ed25519 -C clientca@pyratebeard.net -f clientca-key +cat clientca-key.pub +``` + +* copy user key +``` +# method 1 +cat >> pyratebeard-ssh_ed25519_key.pub << EOF +> [public key] +> EOF + +# method 2 +rsync pyratebeard-ssh_ed25519_key.pub server:pyratebeard-ssh_ed25519_key.pub +``` + +* sign user public key with ca private key +``` +ssh-keygen -s clientca-key -I pyratebeard@pyratebeard.net -n pyratebeard -V +52w pyratebeard-ssh_ed25519_key.pub +``` + * -s sign + * -I unique identifier + * -n principal + * -V validity + +* confirm new user key cert +``` +ssh-keygen -L -f pyratebeard-ssh_ed25519_key-cert.pub +``` + +* copy new key cert back to users machine +``` +# method 1 (on users machine) +cat >> pyratebeard-ssh_ed25519_key-cert.pub << EOF +> [user key cert] +> EOF + +# method 2 +rsync server:pyratebeard-ssh_ed25519_key-cert.pub pyratebeard-ssh_host_ed25519_key-cert.pub +``` + +* copy client ca public key to all servers +``` +# method 1 (on server) +cat >> /etc/ssh/clientca.pub << EOF +> [clientca public key] +> EOF + +# method 2 +rsync clientca.pub server:/etc/ssh/clientca.pub +``` + +* on servers add following to _/etc/ssh/sshd_config_ +``` +TrustedUserCAKeys /etc/ssh/clientca.pub +``` +* reload ssh daemon + +* on users machine add following to ~/.ssh/config +``` +CertificateFile /path/to/pyratebeard-ssh_host_ed25519_key-cert.pub +``` + +* now no longer need authorized_keys file on server +* only one line in known_hosts, or /etc/ssh/ssh_known_hosts * must have dns resolv on greyskull (and nublar for lxc) * must have short name in ssh/config on nublar for lxc