diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-29 14:19:13 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-29 14:19:13 +0200 |
| commit | f5ee81a3bbf1c5a9e5c2b8f512d12f040fcaa3cd (patch) | |
| tree | ac9c6b2cf8a5242bfcf1507a3c2ee2184b813355 | |
| parent | 86a282ecd049ce4aa25e5fd7b776423f96d7ce9c (diff) | |
| download | vyos-documentation-f5ee81a3bbf1c5a9e5c2b8f512d12f040fcaa3cd.tar.gz vyos-documentation-f5ee81a3bbf1c5a9e5c2b8f512d12f040fcaa3cd.zip | |
ssh: T6013: add example how to use a CA for system loginssh-ca
| -rw-r--r-- | docs/configuration/service/ssh.rst | 31 | ||||
| -rw-r--r-- | docs/configuration/system/login.rst | 7 |
2 files changed, 34 insertions, 4 deletions
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 4fa44d3e..c9969aa6 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -129,11 +129,34 @@ Configuration ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, ``rsa-sha2-512-cert-v01@openssh.com`` -.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name> +.. cfgcmd:: set service ssh trusted-user-ca <name> + + Specify the name of the OpenSSH key-pair that acts as certificate authority + and will be used to verify user certificates. + + You can use it by adding the OpenSSH key-pair under the PKI subsystem. + + Example: + + .. code-block:: none + + # Generate key-pair acting as CA + $ ssh-keygen -f vyos-ssh-ca.key + + # Generate key for user: vyos_testca + $ ssh-keygen -f vyos_testca -C "vyos_tesca@vyos.net" + + # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca + # with a key lifetime of two weeks - after which the key is unusable + $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub + + $ set system login user vyos_testca + $ set pki openssh test_ca public key AAAAB3N..... + $ set pki openssh test_ca public type ssh-rsa + $ set service ssh trusted-user-ca test_ca + + You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com`` - Specify the name of the CA certificate that will be used to verify the user - certificates. - You can use it by adding the CA certificate with the PKI command. Dynamic-protection ================== diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 3a7481eb..1c4e041d 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -34,6 +34,13 @@ Local Setup encrypted password for given username. This is useful for transferring a hashed password from system to system. +.. cfgcmd:: set system login user <name> authentication principal <principal> + + When using SSH certificate based authentication, define which principals are + alled to use this account. + + If unset, the principal will be set to the login name of the user bz default. + .. cfgcmd:: set system login user <name> disable Disable (lock) account. User will not be able to log in. |