Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
advanced:ssh_certificates [2021/07/03 16:37] – created dan | advanced:ssh_certificates [2022/06/02 11:31] (current) – [systemd unit] dan | ||
---|---|---|---|
Line 13: | Line 13: | ||
In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at '' | In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at '' | ||
- | Once installed, configure the system to use your CA by running '' | + | Once installed, configure the system to use your CA by running '' |
< | < | ||
- | [root@neth-lemon ~]# step ca bootstrap --ca-url ca.familybrown.org --fingerprint 2f477e4bd5cddf3908521e57f4884247388123be6c1faae80caf883c1b2a3153 | + | [root@neth-lemon ~]# step ca bootstrap |
The root certificate has been saved in / | The root certificate has been saved in / | ||
Your configuration has been saved in / | Your configuration has been saved in / | ||
+ | Installing the root certificate in the system truststore... done. | ||
</ | </ | ||
**Repeat this on every client and server you want to use with your SSH certificate authority** | **Repeat this on every client and server you want to use with your SSH certificate authority** | ||
Line 70: | Line 70: | ||
==== systemd unit ==== | ==== systemd unit ==== | ||
- | Left for later use | + | If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer. |
+ | |||
+ | === Service file === | ||
+ | Create ''/ | ||
+ | < | ||
+ | # Renew SSH host certificate | ||
+ | # | ||
+ | |||
+ | [Unit] | ||
+ | Description=Renew SSH host certificate | ||
+ | Wants=ssh-host-cert.timer | ||
+ | |||
+ | [Service] | ||
+ | Type=oneshot | ||
+ | ExecStart=/ | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | === Timer file === | ||
+ | Create ''/ | ||
+ | < | ||
+ | # Renew SSH host certificate daily | ||
+ | # | ||
+ | |||
+ | [Unit] | ||
+ | Description=Renew SSH host certificate daily | ||
+ | Requires=ssh-host-cert.service | ||
+ | |||
+ | [Timer] | ||
+ | OnCalendar= *-*-* 0:0:0 | ||
+ | AccuracySec=2h | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=timers.target | ||
+ | </ | ||
+ | |||
+ | === Enable the timer === | ||
+ | Run '' | ||
===== Configure sshd to use the cert ===== | ===== Configure sshd to use the cert ===== | ||
Line 123: | Line 163: | ||
Regenerate the config file, and restart sshd, by running '' | Regenerate the config file, and restart sshd, by running '' | ||
- | In the renewal script above, replace the last line with '' | + | In the renewal script above, replace the last line with '' |
===== Test ===== | ===== Test ===== | ||
Line 142: | Line 182: | ||
===== Server configuration ===== | ===== Server configuration ===== | ||
- | |||
First, you'll need to save a copy of the CA's user signing key on your system. To do that, run '' | First, you'll need to save a copy of the CA's user signing key on your system. To do that, run '' | ||
+ | ==== Most Unix-y systems ==== | ||
Next, '' | Next, '' | ||
Line 153: | Line 192: | ||
</ | </ | ||
Restart '' | Restart '' | ||
+ | ==== FreeNAS/ | ||
+ | Save the User CA key retrieved above in '' | ||
+ | ==== Nethserver systems ==== | ||
+ | As noted above, the Nethserver system configuration is generated from templates. | ||
===== Client configuration ===== | ===== Client configuration ===== | ||
Before you ssh to a host that requires (or accepts) a certificate, | Before you ssh to a host that requires (or accepts) a certificate, | ||
- | The " | + | The " |
===== Test ===== | ===== Test ===== |