[sshd] Document public-key and certificate-based authentication.

diff --git a/sshd/README b/sshd/README
index abaf927a8726d77c7ec5b5e0cf497fa503fdf5de..d2ae1eb72452a77a6255ea114922453a14f36006 100644 (file)
--- a/sshd/README
+++ b/sshd/README
@@ -20,17 +20,49 @@ After updating `/etc/ssh/sshd_config`, reload the service.
 $ systemctl reload ssh
 ```
 
-Notes
------
+SSL
+---
+
+SSH can authenticate users through certificates which it had signed. First,
+generate a certificate authority (private + public key pair).
+
+```
+ssh-keygen -t rsa -b 4096 -f <server_out> # <passphrase>
+```
+
+Then generate a user certficate.
+
+```
+ssh-keygen -b 4096 -t rsa -f <user_out> # <passphrase>
+```
+
+Sign user certificate using certificate authority. It's good practice to have
+separate CAs for host and user certificates but it's more useful with multiple
+host instances.
+
+```
+ssh-keygen -s <server_out> -I <user>@<domain> -n <user> -O no-agent-forwarding \
+  -O no-port-forwarding -O no-pty -O no-user-rc -O no-x11-forwarding -V +365d \
+  <user_out>.pub
+```
+
+Pubkey
+------
+
+SSH can authenticate users with public-key authentication. First, generate a key
+pair.
+
+```
+ssh-keygen -b 4096 -t rsa
+```
 
-Before disabling password authentication, mark your SSH key authorized for
-public-key authentication.
+Then copy the public key onto the server.
 
 ```
-ssh-copy-id -i ${SSH_DIR}/id_rsa user@server
+ssh-copy-id -i <key> -p 72 <user>@<domain>
 ```
 
-This copies SSH public key to `user@server:~/.ssh/authorized_keys`. Don't lock
-the server account (`passwd --lock`) as it'll strip away `sudo` privileges.
+This copies SSH public key to `<user>@<domain>:~/.ssh/authorized_keys`. Don't
+lock the server account (`passwd --lock`) as it'll strip away `sudo` privileges.
 
 [1] sshd :: https://linux.die.net/man/8/sshd