Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
Jakob Schürz
wertstoffe at schuerz.at
Thu Jun 4 09:06:24 AEST 2020
Do you know about certificates for openssh?
You create a ca for hostkeys and another for clientkeys.
Then you create a certificate for all of your hostkey-publickeys with
your host-ca.
Publish this certificates to all of your hosts and change the
configuration of sshd to use this certificates also.
Publish the public-key of your user-ca to all hosts.
Publish the pubkey for Host-ca to all your clients.
Then create certificates with user-ca for all of all users Pubkeys. Add
prinzipals (one or more) to this user-certs. Give it to the users.
Change ssh_config to accept only hosts with valid host-certs.
Create mapping-files. Each pam-user gets its own file, where the
principals are listed (one per line), which are allowed to login as this
user.
You dont need to accept a changed hostkey anymore. You can regulate with
principalfile, which user can login as which user. You can also use a
script instead of this files, so ldap or other mechanisms are possible
too via script.
Certs can have a serialnumber and a validydate.. You can revoke by
pubkey the whole user, or revoke by serialnumer.
This is a first entypoint:
https://chandanduttachowdhury.wordpress.com/2014/12/31/certificate-based-ssh-user-authentication/
Many howtos talk about pubkeys instead of certificates, when you search
on you searchengine. Be careful of your searches. Certificates are using
pubkeys, they are not pubkeys!!
Regards
Jakob
--
lore ipsum
More information about the openssh-unix-dev
mailing list