[Discuss] sshd and key authority -- inspired by deadmanish
markw at mohawksoft.com
markw at mohawksoft.com
Mon Feb 6 15:10:46 EST 2017
One of the problems with ssh is the "I have to connect to the machine to
copy my public key before I can connect with my key to the machine"
problem.
One of the cool, but little used, features of sshd is the
TrustedUserCAKeys setting.
This allows you to create a public/private centralized key authority, (you
use openssl to create the authority) and you can use:
ssh-keygen -f ca.key -y > ca.sshd
This will create the sshd authority key, (the ca.key and ca.pub was set up
by openssl.) put in sshd_config as:
TrustedUserCAKeys /path/ca.sshd
Now, create your key as you normally would.
ssh-keygen -f yourkeyname
Here's the fun part! Sign it:
ssh-keygen -s ca.pem -I "yourname" -n yourlogin -V +2d yourkeyname.pub
The above does a two things:
(1) Creates a certificate public key that is signed with your central
authority.
(2) The -V command line option limits how long the key is valid
This allows you to give someone a key that is valid for a certain number
of days.
More information about the Discuss
mailing list