Show Table of Contents
14.3.4. Distributing and Trusting SSH CA Public Keys
Hosts that are to allow certificate authenticated log in from users must be configured to trust the CA's public key that was used to sign the user certificates, in order to authenticate user's certificates. In this example that is the
ca_user_key.pub.
Publish the
ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in. Alternately, copy the CA user public key to all the hosts. In a production environment, consider copying the public key to an administrator account first. The secure copy command can be used to copy the public key to remote hosts. The command has the following format: scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/Where host_name is the host name of a server the is required to authenticate user's certificates presented during the login process. Ensure you copy the public key not the private key. For example, as
root:
~]# scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/
The authenticity of host 'host_name.example.com (10.34.74.56)' can't be established.
RSA key fingerprint is fc:23:ad:ae:10:6f:d1:a1:67:ee:b1:d5:37:d4:b0:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host_name.example.com,10.34.74.56' (RSA) to the list of known hosts.
root@host_name.example.com's password:
ca_user_key.pub 100% 420 0.4KB/s 00:00
For remote user authentication, CA keys can be marked as trusted per-user in the
~/.ssh/authorized_keys file using the cert-authority directive or for global use by means of the TrustedUserCAKeys directive in the /etc/ssh/sshd_config file. For remote host authentication, CA keys can be marked as trusted globally in the /etc/ssh/known_hosts file or per-user in the ~/.ssh/ssh_known_hosts file.
Procedure 14.2. Trusting the User Signing Key
- For user certificates which have one or more principles listed, and where the setting is to have global effect, edit the
/etc/ssh/sshd_configfile as follows:TrustedUserCAKeys /etc/ssh/ca_user_key.pub
Restartsshdto make the changes take effect:~]#
service sshd restart
To avoid being presented with the warning about an unknown host, a user's system must trust the CA's public key that was used to sign the host certificates. In this example that is
ca_host_key.pub.
Procedure 14.3. Trusting the Host Signing Key
- Extract the contents of the public key used to sign the host certificate. For example, on the CA:
cat ~/.ssh/ca_host_key.pubssh-rsa AAAAB5Wm.== root@ca-server.example.com - To configure client systems to trust servers' signed host certificates, add the contents of the
ca_host_key.pubinto the globalknown_hostsfile. This will automatically check a server's host advertised certificate against the CA public key for all users every time a new machine is connected to in the domain*.example.com. Login asrootand configure the/etc/ssh/ssh_known_hostsfile, as follows:~]#
Wherevi /etc/ssh/ssh_known_hosts# A CA key, accepted for any host in *.example.com @cert-authority *.example.com ssh-rsa AAAAB5Wm.ssh-rsa AAAAB5Wm.is the contents ofca_host_key.pub. The above configures the system to trust the CA servers host public key. This enables global authentication of the certificates presented by hosts to remote users.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.