vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 01:31:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1641 from vyos/ssh-ca

Browse Source 
ssh: T6013: add example how to use a CA for system login
This commit is contained in:
Christian Breunig 2025-05-29 20:17:01 +02:00 committed by GitHub
commit bfa8a806ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/configuration/service/ssh.rst
View File

@ -129,11 +129,34 @@ Configuration
``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``,
``rsa-sha2-512-cert-v01@openssh.com``
.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
.. cfgcmd:: set service ssh trusted-user-ca <name>
Specify the name of the OpenSSH key-pair that acts as certificate authority
and will be used to verify user certificates.
You can use it by adding the OpenSSH key-pair under the PKI subsystem.
Example:
.. code-block:: none
# Generate key-pair acting as CA
$ ssh-keygen -f vyos-ssh-ca.key
# Generate key for user: vyos_testca
$ ssh-keygen -f vyos_testca -C "vyos_tesca@vyos.net"
# Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca
# with a key lifetime of two weeks - after which the key is unusable
$ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub
$ set system login user vyos_testca
$ set pki openssh test_ca public key AAAAB3N.....
$ set pki openssh test_ca public type ssh-rsa
$ set service ssh trusted-user-ca test_ca
You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com``
Specify the name of the CA certificate that will be used to verify the user
certificates.
You can use it by adding the CA certificate with the PKI command.
Dynamic-protection
==================

7
docs/configuration/system/login.rst
View File

@ -34,6 +34,13 @@ Local
Setup encrypted password for given username. This is useful for
transferring a hashed password from system to system.
.. cfgcmd:: set system login user <name> authentication principal <principal>
When using SSH certificate based authentication, define which principals are
alled to use this account.
If unset, the principal will be set to the login name of the user bz default.
.. cfgcmd:: set system login user <name> disable
Disable (lock) account. User will not be able to log in.