pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

commit 41593ad0a59ec4db5aae084494d09249b88e8491
parent 10019a9184e9bd2f7a2ba4b51ba5068d8aae98d0
Author: pyratebeard <root@pyratebeard.net>
Date:   Wed,  6 Dec 2023 17:20:30 +0000

respect_my_authoritah

Diffstat:
Mentry/respect_my_authoritah.md | 65+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+), 0 deletions(-)

diff --git a/entry/respect_my_authoritah.md b/entry/respect_my_authoritah.md @@ -6,6 +6,71 @@ * userca server * add cert to pgp key +* create ca keys +``` +ssh-keygen -t ed25519 -C hostca@pyratebeard.net -f hostca-key +cat hostca-key.pub +``` + +* on local system, add ca pub key to _~/.ssh/known_hosts_ +``` +cat >> ~/.ssh/known_hosts << EOF +> @cert-authority *.pyratebeard.net [hostca public key] +> EOF +``` + +* copy server public key +``` +# method 1 +cat >> server-ssh_host_ed25519_key.pub << EOF +> [public key] +> EOF + +# method 2 +rsync server:/etc/ssh/ssh_host_ed25519_key.pub server-ssh_host_ed25519_key.pub + +# method 3 +ssh-keyscan server | grep ed25519 +``` + +* sign server public key with ca private key +``` +ssh-keygen -s hostca-key -h -I server@pyratebeard.net -n server.pyratebeard.net,server -V +52w server-ssh_host_ed25519_key.pub +``` + * -s sign + * -h host cert + * -I unique identifier + * -n principals + * -V validity + +* confirm new server key cert +``` +ssh-keygen -L -f server-ssh_host_ed25519_key-cert.pub +``` + +* copy new key cert to server +``` +# method 1 (on server) +cat >> /etc/ssh/ssh_host_ed25519_key-cert.pub << EOF +> [server key cert] +> EOF + +# method 2 +rsync server-ssh_host_ed25519_key-cert.pub server:/etc/ssh/ssh_host_ed25519_key-cert.pub +``` + +* on server add following to _/etc/ssh/sshd_config_ +``` +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub +``` + +* reload ssh daemon + + +* must have dns resolv on greyskull (and nublar for lxc) +* must have short name in ssh/config on nublar for lxc +* must have cert-auth known host on nublar for lxc + aliases.zsh lxst=lxc-unpriv-start