[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] sshd and key authority -- inspired by deadmanish
- Subject: [Discuss] sshd and key authority -- inspired by deadmanish
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- Date: Mon, 6 Feb 2017 15:10:46 -0500
One of the problems with ssh is the "I have to connect to the machine to copy my public key before I can connect with my key to the machine" problem. One of the cool, but little used, features of sshd is the TrustedUserCAKeys setting. This allows you to create a public/private centralized key authority, (you use openssl to create the authority) and you can use: ssh-keygen -f ca.key -y > ca.sshd This will create the sshd authority key, (the ca.key and ca.pub was set up by openssl.) put in sshd_config as: TrustedUserCAKeys /path/ca.sshd Now, create your key as you normally would. ssh-keygen -f yourkeyname Here's the fun part! Sign it: ssh-keygen -s ca.pem -I "yourname" -n yourlogin -V +2d yourkeyname.pub The above does a two things: (1) Creates a certificate public key that is signed with your central authority. (2) The -V command line option limits how long the key is valid This allows you to give someone a key that is valid for a certain number of days.