From: Jakub Czajka Date: Sun, 29 Jan 2023 13:14:39 +0000 (+0100) Subject: [sshd] Document public-key and certificate-based authentication. X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=862bb6cc2e9b654e2a9dab4baf1038821714353a;p=server.git [sshd] Document public-key and certificate-based authentication. --- diff --git a/sshd/README b/sshd/README index abaf927..d2ae1eb 100644 --- a/sshd/README +++ b/sshd/README @@ -20,17 +20,49 @@ After updating `/etc/ssh/sshd_config`, reload the service. $ systemctl reload ssh ``` -Notes ------ +SSL +--- + +SSH can authenticate users through certificates which it had signed. First, +generate a certificate authority (private + public key pair). + +``` +ssh-keygen -t rsa -b 4096 -f # +``` + +Then generate a user certficate. + +``` +ssh-keygen -b 4096 -t rsa -f # +``` + +Sign user certificate using certificate authority. It's good practice to have +separate CAs for host and user certificates but it's more useful with multiple +host instances. + +``` +ssh-keygen -s -I @ -n -O no-agent-forwarding \ + -O no-port-forwarding -O no-pty -O no-user-rc -O no-x11-forwarding -V +365d \ + .pub +``` + +Pubkey +------ + +SSH can authenticate users with public-key authentication. First, generate a key +pair. + +``` +ssh-keygen -b 4096 -t rsa +``` -Before disabling password authentication, mark your SSH key authorized for -public-key authentication. +Then copy the public key onto the server. ``` -ssh-copy-id -i ${SSH_DIR}/id_rsa user@server +ssh-copy-id -i -p 72 @ ``` -This copies SSH public key to `user@server:~/.ssh/authorized_keys`. Don't lock -the server account (`passwd --lock`) as it'll strip away `sudo` privileges. +This copies SSH public key to `@:~/.ssh/authorized_keys`. Don't +lock the server account (`passwd --lock`) as it'll strip away `sudo` privileges. [1] sshd :: https://linux.die.net/man/8/sshd