ssh certificate authentication: can one user and one server certificate work for any number of users or servers on a LAN?
I am (still) rather confused about using ssh certificate authentication.
I am confused about a variety of specifics, but the biggie is this: I have the
idea that I can create one user certificate and one server (host) certificate,
and use that for any number of users and servers on a LAN.
from man ssh:
<quote>
A variation on public key authentication is available in the form of
certificate authentication: instead of a set of public/private keys, signed
certificates are used. This has the advantage that a single trusted
certification authority can be used in place of many public/private keys. See
the CERTIFICATES section of ssh-keygen(1) for more information.
</quote>
That would be done by virtue of using the -n option to set the principals for
each certificate -- the user certificate could include all the users that might
use any client, and the server (host) certificate could include all the servers
on the LAN.
(Aside -- best to ignore this at least for now: I don't like calling them
"hosts" or the name "host certificate" -- I think what they are calling a host
is an ssh server, and a host certificate is the certificate for an ssh server
(at least in the context of certificate authentication -- maybe in password
authentication (for example) a host certificate comes into play for both the
ssh client and the ssh server??)
Using multiple users or servers on one certificate:
* would be done by using the -n option (when creating the certificate) and
specifying multiple principals (either users or servers). That could be done
by either a comma separated list (of users or servers) or wildcards, or
presumably some combination of both,
* and, in fact, the -n option is more like a way to limit the users or
servers that can use a certificate, the default (iiuc) is that any user can
authenticate using the host certificate on any server using the server
certificate.
Am I totally confused, and do you have any experience to confirm this one way
or the other?
Thanks!
--
rhk
If you reply: snip, snip, and snip again; leave attributions; avoid top
posting; and keep it "on list". (Oxford comma included at no charge.) If you
change topics, change the Subject: line.
A picture is worth a thousand words -- divide by 10 for each minute of video
(or audio) or create a transcript and edit it to 10% of the original.
Reply to: