Today I will be looking at using openssh key pairs to replace the openssh password, however with a bit of a difference. Instead of using just host and user keys, I will be configuring OpenSSH Server and OpenSSH client to use host and user certificates.
Note: This is a step up from using SSH public and private keys for your host and users
00:00 - Intro
00:28 - Host & User Certificates for OpenSSH
00:48 - OpenSSH key management
01:44 - Public Key and Passwords
02:49 - Trust on First Use (TOFU)
05:13 - Best Practice - Use SSH Certificates
07:20 - Create Host CA keys
08:20 - Host Certificate
11:26 - Best Practice - Use Separate Host and User CAs
12:40 - Create User CA
13:06 - Generate or re-use existing Host Keys
13:40 - Sign the Host Certificates
14:48 - Copy Host Keys and Host Cert to SSH Server
15:53 - Configure SSH Clients to use Host Certificates
17:11 - User Keys
17:30 - Sign User Public Key
18:28 - Copy User Keys and User Cert to User Home Dir
18:47 - Configure TrustedUserCAKeys
19:34 - Other Best Practices
20:19 - What we covered
21:01 - Outro
Support me on Patreon: https://www.patreon.com/DJWare
Follow me:
Twitter @djware55
Facebook:https://www.facebook.com/don.ware.7758
Discord: https://discord.gg/hQcShnh
Gitlab: https://gitlab.com/djware27
"Brightly Fancy" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0
"Militaire Electronic" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Werq by Kevin MacLeod
Link: https://incompetech.filmmusic.io/song/4616-werq
License: https://filmmusic.io/standard-license
Industrial Cinematic by Kevin MacLeod
Link: https://incompetech.filmmusic.io/song/3909-industrial-cinematic
License: https://filmmusic.io/standard-license
Music Used in this video
"NonStop" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
#ssh #openssh #opensshcert
31 Comments