I am (still) rather confused about using ssh certificate authentication. I am confused about a variety of specifics, but the biggie is this: I have the idea that I can create one user certificate and one server (host) certificate, and use that for any number of users and servers on a LAN.
from man ssh: <quote> A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. See the CERTIFICATES section of ssh-keygen(1) for more information. </quote> That would be done by virtue of using the -n option to set the principals for each certificate -- the user certificate could include all the users that might use any client, and the server (host) certificate could include all the servers on the LAN. (Aside -- best to ignore this at least for now: I don't like calling them "hosts" or the name "host certificate" -- I think what they are calling a host is an ssh server, and a host certificate is the certificate for an ssh server (at least in the context of certificate authentication -- maybe in password authentication (for example) a host certificate comes into play for both the ssh client and the ssh server??) Using multiple users or servers on one certificate: * would be done by using the -n option (when creating the certificate) and specifying multiple principals (either users or servers). That could be done by either a comma separated list (of users or servers) or wildcards, or presumably some combination of both, * and, in fact, the -n option is more like a way to limit the users or servers that can use a certificate, the default (iiuc) is that any user can authenticate using the host certificate on any server using the server certificate. Am I totally confused, and do you have any experience to confirm this one way or the other? Thanks! -- rhk If you reply: snip, snip, and snip again; leave attributions; avoid top posting; and keep it "on list". (Oxford comma included at no charge.) If you change topics, change the Subject: line. A picture is worth a thousand words -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original.