Use of ssh certificates in a multi server of different kind environment.
Kevin Denis
kevin at alinto.com
Thu Jul 7 22:44:33 EST 2011
Hello,
[if I'm not in the right mailing list, please advise it to me]
I'm using ssh certificates for my servers and my users.
I have questions about it:
I can use the same CA in order to certify all my hosts. Every clients can use it,
and it's a great setup. But, if I use the same CA for all my clients, it means that
any clients can log in to any server because hosts trusts my CA. And it's not a
desired behavior.
So I made several CAs, one for each type of servers. One for webservers, one
for svn servers, one for my cluster, end so on.. and it works, but I have to
manage a lot of keys. And certify each kind of users with the right key.
Is there a way to add in the client certificate the name of the host authorized to
log in to? With that I could still use only one CA and certify anyone behind it, a
kind of:
ssh-keygen -s CAKey -I CA -n user1 -O destination_address
server1,192.168.19.2 user_rsa_key.pub
But the destination_address option doesn't exists...
So, am I doing rights with my multiple CA? Or there is a better way?
Thanks,
Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
More information about the openssh-unix-dev
mailing list