Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
advanced:ssh_certificates [2021/07/03 16:42] – [Server configuration] dan | advanced:ssh_certificates [2022/06/02 11:31] (current) – [systemd unit] dan | ||
---|---|---|---|
Line 13: | Line 13: | ||
In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at '' | In order to configure systems to use your CA, you'll need the hostname or IP address of your CA, and the fingerprint of the root signing cert. If you don't have the latter, you can get it by logging into the CA, finding that certificate (ordinarily it will be at '' | ||
- | Once installed, configure the system to use your CA by running '' | + | Once installed, configure the system to use your CA by running '' |
< | < | ||
- | [root@neth-lemon ~]# step ca bootstrap --ca-url ca.familybrown.org --fingerprint 2f477e4bd5cddf3908521e57f4884247388123be6c1faae80caf883c1b2a3153 | + | [root@neth-lemon ~]# step ca bootstrap |
The root certificate has been saved in / | The root certificate has been saved in / | ||
Your configuration has been saved in / | Your configuration has been saved in / | ||
+ | Installing the root certificate in the system truststore... done. | ||
</ | </ | ||
**Repeat this on every client and server you want to use with your SSH certificate authority** | **Repeat this on every client and server you want to use with your SSH certificate authority** | ||
Line 70: | Line 70: | ||
==== systemd unit ==== | ==== systemd unit ==== | ||
- | Left for later use | + | If your system runs systemd, as most modern Linux distributions do, you can instead set up the daily certificate renewal using a systemd timer. |
+ | |||
+ | === Service file === | ||
+ | Create ''/ | ||
+ | < | ||
+ | # Renew SSH host certificate | ||
+ | # | ||
+ | |||
+ | [Unit] | ||
+ | Description=Renew SSH host certificate | ||
+ | Wants=ssh-host-cert.timer | ||
+ | |||
+ | [Service] | ||
+ | Type=oneshot | ||
+ | ExecStart=/ | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | === Timer file === | ||
+ | Create ''/ | ||
+ | < | ||
+ | # Renew SSH host certificate daily | ||
+ | # | ||
+ | |||
+ | [Unit] | ||
+ | Description=Renew SSH host certificate daily | ||
+ | Requires=ssh-host-cert.service | ||
+ | |||
+ | [Timer] | ||
+ | OnCalendar= *-*-* 0:0:0 | ||
+ | AccuracySec=2h | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=timers.target | ||
+ | </ | ||
+ | |||
+ | === Enable the timer === | ||
+ | Run '' | ||
===== Configure sshd to use the cert ===== | ===== Configure sshd to use the cert ===== | ||
Line 123: | Line 163: | ||
Regenerate the config file, and restart sshd, by running '' | Regenerate the config file, and restart sshd, by running '' | ||
- | In the renewal script above, replace the last line with '' | + | In the renewal script above, replace the last line with '' |
===== Test ===== | ===== Test ===== | ||
Line 160: | Line 200: | ||
Before you ssh to a host that requires (or accepts) a certificate, | Before you ssh to a host that requires (or accepts) a certificate, | ||
- | The " | + | The " |
===== Test ===== | ===== Test ===== |