OpenSSH CA Certificates Publishing/Documentation

Support for security such as Firewalls and securing linux
Kantankerus
Posts: 3
Joined: 2017/07/23 01:19:19

OpenSSH CA Certificates Publishing/Documentation

Postby Kantankerus » 2017/07/23 01:26:35

I'm reading through the upstream vendor documentation at https://access.redhat.com/documentation ... _Keys.html and on the second paragraph, it starts with "Publish the ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in." I'm unclear on the context. Do they mean the generic "publish' whereas you place the file in a shared location (ANY shared location) such as a file share, private FTP site, etc...or is there an established means of publishing such keys, like a key server?

Just trying to wrap my brain around this to see if we want to leverage this in our ever growing environment.

Any help, hints or nudges in the right direction would be greatly appreciated.

scottro
Forum Moderator
Posts: 2329
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: OpenSSH CA Certificates Publishing/Documentation

Postby scottro » 2017/07/23 12:53:09

The key would be stored (you can see this from the example)
in the user's (root's in this case) $HOME/.ssh/ file. The .ssh (note the dot) may have to be created.
Then, following the examples, you would distribute the key to root@remoteserver:/etc/ssh/
New users should check the FAQ and Read Me First pages

Kantankerus
Posts: 3
Joined: 2017/07/23 01:19:19

Re: OpenSSH CA Certificates Publishing/Documentation

Postby Kantankerus » 2017/07/23 14:32:37

@scottro The method you describe is listed as the alternative method...

"Publish the ca_user_key.pub key and download it to all hosts that are required to allow remote users to log in. Alternately, copy the CA user public key to all the hosts."

That's precisely why I'm asking...I understand the alternative method...what is this magical "publish" method?

It seems like it's a "pull" vs "push" process, perhaps?

aks
Posts: 2498
Joined: 2014/09/20 11:22:14

Re: OpenSSH CA Certificates Publishing/Documentation

Postby aks » 2017/07/23 16:16:33

The way this is meant to work is a question of trust. If you self certify (i.e.: the CA used is not one of the pre-known CAs), then you need to establish trust with that CA (i.e.: you). How you achieve that is largely irrelevant, but it means the process running (in this case SSH) need to access the CA file(s) to establish the trust - it needs to "know" that this CA (identified by it's signature) os a trust worthy CA. Copying it to the local machine is more work, but SE probably won't get in the way, while if you put the file on a (say) network attached storage device, SE may deny access to that resource.
Which ever way you do it, the runnign daemon MUST be able to access the signature (stored in the file) in some manner at some time.

Kantankerus
Posts: 3
Joined: 2017/07/23 01:19:19

Re: OpenSSH CA Certificates Publishing/Documentation

Postby Kantankerus » 2017/07/23 23:18:24

Ok, so there is definitely no well established method of "publishing" making me believe they meant to stick it somewhere you could download it from and then "pull it" (download it) to each host, versus the alternate method of scp'ing it (pushing it) to each host. Six of one, half dozen of the other.

Just wanted to make sure I wasn't missing some well known key server daemon option or some such.

Thanks for the clarification!