Page 1 of 1
OpenSSH CA Certificates Publishing/Documentation
Posted: 2017/07/23 01:26:35
by Kantankerus
I'm reading through the upstream vendor documentation at
https://access.redhat.com/documentation ... _Keys.html and on the second paragraph, it starts with "Publish the ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in." I'm unclear on the context. Do they mean the generic "publish' whereas you place the file in a shared location (ANY shared location) such as a file share, private FTP site, etc...or is there an established means of publishing such keys, like a key server?
Just trying to wrap my brain around this to see if we want to leverage this in our ever growing environment.
Any help, hints or nudges in the right direction would be greatly appreciated.
Re: OpenSSH CA Certificates Publishing/Documentation
Posted: 2017/07/23 12:53:09
by scottro
The key would be stored (you can see this from the example)
in the user's (root's in this case) $HOME/.ssh/ file. The .ssh (note the dot) may have to be created.
Then, following the examples, you would distribute the key to root@remoteserver:/etc/ssh/
Re: OpenSSH CA Certificates Publishing/Documentation
Posted: 2017/07/23 14:32:37
by Kantankerus
@scottro The method you describe is listed as the alternative method...
"Publish the ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in. Alternately, copy the CA user public key to all the hosts."
That's precisely why I'm asking...I understand the alternative method...what is this magical "publish" method?
It seems like it's a "pull" vs "push" process, perhaps?
Re: OpenSSH CA Certificates Publishing/Documentation
Posted: 2017/07/23 16:16:33
by aks
The way this is meant to work is a question of trust. If you self certify (i.e.: the CA used is not one of the pre-known CAs), then you need to establish trust with that CA (i.e.: you). How you achieve that is largely irrelevant, but it means the process running (in this case SSH) need to access the CA file(s) to establish the trust - it needs to "know" that this CA (identified by it's signature) os a trust worthy CA. Copying it to the local machine is more work, but SE probably won't get in the way, while if you put the file on a (say) network attached storage device, SE may deny access to that resource.
Which ever way you do it, the runnign daemon MUST be able to access the signature (stored in the file) in some manner at some time.
Re: OpenSSH CA Certificates Publishing/Documentation
Posted: 2017/07/23 23:18:24
by Kantankerus
Ok, so there is definitely no well established method of "publishing" making me believe they meant to stick it somewhere you could download it from and then "pull it" (download it) to each host, versus the alternate method of scp'ing it (pushing it) to each host. Six of one, half dozen of the other.
Just wanted to make sure I wasn't missing some well known key server daemon option or some such.
Thanks for the clarification!