[
https://issues.apache.org/jira/browse/SSHD-660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17084950#comment-17084950
]
FliegenKLATSCH commented on SSHD-660:
-------------------------------------
I did not check out the authentication yet, I am mostly interested in the host
key algorithms.
To setup this you need to create a CA:
$ ssh-keygen -b 4096 -t rsa -f example-com-ca -C "CA key for example.com"
and sign the public key:
$ ssh-keygen -s example-com-ca -h -n host.example.com -V +52w -I
host.example.com-key host-key.pub
On the server, add the following line into the sshd_config (the certificate was
created by the previous command with the -cert.pub suffix):
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
And on the client into the known_hosts:
@cert-authority *.example.com <contents-of-public-CA-key-file>
If you connect with openssh client you can use -vvv to see which host key
algorithm is used or enforce a specific one with -o
[email protected]
> Add support for authentication using signed client/server keys
> --------------------------------------------------------------
>
> Key: SSHD-660
> URL: https://issues.apache.org/jira/browse/SSHD-660
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Lyor Goldstein
> Priority: Minor
>
> Similar to _HostCertificate_ and _TrustedUserCAKeys_ configuration values -
> see https://ef.gy/hardening-ssh
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
