Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign host key with a CA pubkey #185

Open
teunvink opened this issue Feb 10, 2023 · 1 comment
Open

Sign host key with a CA pubkey #185

teunvink opened this issue Feb 10, 2023 · 1 comment
Labels
enhancement

Comments

@teunvink
Copy link
Member

Suggestion mentioned on IRC:

have all the host keys signed so that we can just approve the ca pubkey and be confident connecting to ring nodes without host key prompts
@teunvink
Copy link
Member Author

Some possibly useful logs:

11:46 <bl____> on a secure machine create a keypair with ssh-keygen or community.crypto.openssh_keypair, publish the public key, on nodes sign host key with ssh-keygen or community.crypto.openssh_cert & put to ssh config is the rough process
11:47 <bl____> then on /etc/ssh/ssh_known_hosts etc put "@cert-authority *.ring.nlnog.net pubkey"
11:47 <bl____> latest putty supports this also finally
11:52 <bl____> so the "ca" is just simply a regular SSH keypair
12:02 <bl____> I am sure interwebs is full of tutorials for it, here is a redhat one: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys
12:04 <@teun> thanks for the info, we can take a look at later and see how it relates to the SSFP entries we already have
12:06 <bl____> putty has rejected support for those unfortunately IIRC :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@teunvink