Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
14.3.4. Distributing and Trusting SSH CA Public Keys
Hosts that are to allow certificate authenticated log in from users must be configured to trust the CA's public key that was used to sign the user certificates, in order to authenticate user's certificates. In this example that is the
ca_user_key.pub.
Publish the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Where host_name is the host name of a server the is required to authenticate user's certificates presented during the login process. Ensure you copy the public key not the private key. For example, as
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in. Alternately, copy the CA user public key to all the hosts. In a production environment, consider copying the public key to an administrator account first. The secure copy command can be used to copy the public key to remote hosts. The command has the following format: scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/
scp ~/.ssh/ca_user_key.pub root@host_name.example.com:/etc/ssh/root:
For remote user authentication, CA keys can be marked as trusted per-user in the
~/.ssh/authorized_keys file using the cert-authority directive or for global use by means of the TrustedUserCAKeys directive in the /etc/ssh/sshd_config file. For remote host authentication, CA keys can be marked as trusted globally in the /etc/ssh/known_hosts file or per-user in the ~/.ssh/ssh_known_hosts file.
Procedure 14.2. Trusting the User Signing Key
- For user certificates which have one or more principles listed, and where the setting is to have global effect, edit the
/etc/ssh/sshd_configfile as follows:RestartTrustedUserCAKeys /etc/ssh/ca_user_key.pub
TrustedUserCAKeys /etc/ssh/ca_user_key.pubCopy to Clipboard Copied! Toggle word wrap Toggle overflow sshdto make the changes take effect:service sshd restart
~]# service sshd restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
To avoid being presented with the warning about an unknown host, a user's system must trust the CA's public key that was used to sign the host certificates. In this example that is
ca_host_key.pub.
Procedure 14.3. Trusting the Host Signing Key
- Extract the contents of the public key used to sign the host certificate. For example, on the CA:
cat ~/.ssh/ca_host_key.pub ssh-rsa AAAAB5Wm.== root@ca-server.example.com
cat ~/.ssh/ca_host_key.pub ssh-rsa AAAAB5Wm.== root@ca-server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To configure client systems to trust servers' signed host certificates, add the contents of the
ca_host_key.pubinto the globalknown_hostsfile. This will automatically check a server's host advertised certificate against the CA public key for all users every time a new machine is connected to in the domain*.example.com. Login asrootand configure the/etc/ssh/ssh_known_hostsfile, as follows:Wherevi /etc/ssh/ssh_known_hosts
~]# vi /etc/ssh/ssh_known_hosts # A CA key, accepted for any host in *.example.com @cert-authority *.example.com ssh-rsa AAAAB5Wm.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ssh-rsa AAAAB5Wm.is the contents ofca_host_key.pub. The above configures the system to trust the CA servers host public key. This enables global authentication of the certificates presented by hosts to remote users.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}