Use of ssh certificates in a multi server of different kind environment.

Mauricio Tavares raubvogel at gmail.com
Fri Jul 8 00:50:22 EST 2011


On Thu, Jul 7, 2011 at 8:44 AM, Kevin Denis <kevin at alinto.com> wrote:
> Hello,
>
> [if I'm not in the right mailing list, please advise it to me]
>
> I'm using ssh certificates for my servers and my users.
> I have questions about it:
>
> I can use the same CA in order to certify all my hosts. Every clients can use it,
> and it's a great setup. But, if I use the same CA for all my clients, it means that
> any clients can log in to any server because hosts trusts my CA. And it's not a
> desired behavior.
>
> So I made several CAs, one for each type of servers. One for webservers, one
> for svn servers, one for my cluster, end so on.. and it works, but I have to
> manage a lot of keys. And certify each kind of users with the right key.
>
> Is there a way to add in the client certificate the name of the host authorized to
> log in to? With that I could still use only one CA and certify anyone behind it, a
> kind of:
> ssh-keygen -s CAKey -I CA -n user1 -O destination_address
> server1,192.168.19.2 user_rsa_key.pub
>
> But the destination_address option doesn't exists...
>
> So, am I doing rights with my multiple CA? Or there is a better way?
>
      Can't your firewall/hosts.{allow,deny} files specify which IPs
and subnets are allowed to login to your server? This will not solve
your problem but could be a start.

> Thanks,
>
> Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list