ssh: T6013: add example how to use a CA for system login

2025-10-26 01:31:44 +02:00 · 2025-05-29 14:19:13 +02:00 · 2025-05-29 14:19:13 +02:00 · f5ee81a3bb
commit f5ee81a3bb
parent 86a282ecd0
2 changed files with 34 additions and 4 deletions
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@ -129,11 +129,34 @@ Configuration
  ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``,
  ``rsa-sha2-512-cert-v01@openssh.com``

-.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
+.. cfgcmd:: set service ssh trusted-user-ca <name>
+
+  Specify the name of the OpenSSH key-pair that acts as certificate authority
+  and will be used to verify user certificates.
+
+  You can use it by adding the OpenSSH key-pair under the PKI subsystem.
+
+  Example:
+
+  .. code-block:: none
+
+    # Generate key-pair acting as CA
+    $ ssh-keygen -f vyos-ssh-ca.key
+
+    # Generate key for user: vyos_testca
+    $ ssh-keygen -f vyos_testca  -C "vyos_tesca@vyos.net"
+
+    # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca
+    # with a key lifetime of two weeks - after which the key is unusable
+    $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub
+
+    $ set system login user vyos_testca
+    $ set pki openssh test_ca public key AAAAB3N.....
+    $ set pki openssh test_ca public type ssh-rsa
+    $ set service ssh trusted-user-ca test_ca
+
+  You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com``

-  Specify the name of the CA certificate that will be used to verify the user
-  certificates.
-  You can use it by adding the CA certificate with the PKI command.

 Dynamic-protection
 ==================
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@ -34,6 +34,13 @@ Local
   Setup encrypted password for given username. This is useful for
   transferring a hashed password from system to system.

+.. cfgcmd:: set system login user <name> authentication principal <principal>
+
+   When using SSH certificate based authentication, define which principals are
+   alled to use this account.
+
+   If unset, the principal will be set to the login name of the user bz default.
+
 .. cfgcmd:: set system login user <name> disable

   Disable (lock) account. User will not be able to log in.