rhkra...@gmail.com wrote:
> I am (still) rather confused about using ssh certificate authentication.
>
> I am confused about a variety of specifics, but the biggie is this: I have
> the
> idea that I can create one user certificate and one server (host)
> certificate,
> and use that for any number of users and servers on a LAN.
Doing so is a lot like telling all the users that their password
is now "swordfish".
You could do that, but it defeats common sense.
Here's what's going on:
* You (root on many systems) create a certificate authority.
This is a Big Secret.
* You use the Big Secret to sign a Trust Me certificate
* You install the Trust Me cert on all your SSH servers.
* You tell the SSH servers that anyone who can successfully
negotiate a key exchange with the Trust Me cert is an
authorized user -- log them in.
* You use the Trust Me certificate to sign a user-cert
for each user. The user cert says "My username is rhkramer, you
can trust me."
* rhkramer can now log in to any host that believes in your
Trust Me cert, by presenting the user-cert which the Trust Me
certificate can decode.
Pro:
You manage one cert per SSH server, not a pair per user
Cons:
You must keep and properly distribute a CRL, certificate
revocation list
You must keep track of expiration dates on the user-certs
You must re-issue user-certs before the expirations
You must have automated machinery to manage the user-certs
You must properly protect your Big Secret
You must keep everything running
-dsr-
