From 862bb6cc2e9b654e2a9dab4baf1038821714353a Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Sun, 29 Jan 2023 14:14:39 +0100 Subject: [PATCH] [sshd] Document public-key and certificate-based authentication. --- sshd/README | 46 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/sshd/README b/sshd/README index abaf927..d2ae1eb 100644 --- a/sshd/README +++ b/sshd/README @@ -20,17 +20,49 @@ After updating `/etc/ssh/sshd_config`, reload the service. $ systemctl reload ssh ``` -Notes ------ +SSL +--- + +SSH can authenticate users through certificates which it had signed. First, +generate a certificate authority (private + public key pair). + +``` +ssh-keygen -t rsa -b 4096 -f # +``` + +Then generate a user certficate. + +``` +ssh-keygen -b 4096 -t rsa -f # +``` + +Sign user certificate using certificate authority. It's good practice to have +separate CAs for host and user certificates but it's more useful with multiple +host instances. + +``` +ssh-keygen -s -I @ -n -O no-agent-forwarding \ + -O no-port-forwarding -O no-pty -O no-user-rc -O no-x11-forwarding -V +365d \ + .pub +``` + +Pubkey +------ + +SSH can authenticate users with public-key authentication. First, generate a key +pair. + +``` +ssh-keygen -b 4096 -t rsa +``` -Before disabling password authentication, mark your SSH key authorized for -public-key authentication. +Then copy the public key onto the server. ``` -ssh-copy-id -i ${SSH_DIR}/id_rsa user@server +ssh-copy-id -i -p 72 @ ``` -This copies SSH public key to `user@server:~/.ssh/authorized_keys`. Don't lock -the server account (`passwd --lock`) as it'll strip away `sudo` privileges. +This copies SSH public key to `@:~/.ssh/authorized_keys`. Don't +lock the server account (`passwd --lock`) as it'll strip away `sudo` privileges. [1] sshd :: https://linux.die.net/man/8/sshd -- 2.39.5