Merge pull request #1641 from vyos/ssh-ca

ssh: T6013: add example how to use a CA for system login

1 files changed, 27 insertions, 4 deletions

diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 4fa44d3e..c9969aa6 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -129,11 +129,34 @@ Configuration
   ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``,
   ``rsa-sha2-512-cert-v01@openssh.com``
 
-.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
+.. cfgcmd:: set service ssh trusted-user-ca <name>
+
+  Specify the name of the OpenSSH key-pair that acts as certificate authority
+  and will be used to verify user certificates.
+
+  You can use it by adding the OpenSSH key-pair under the PKI subsystem.
+
+  Example:
+
+  .. code-block:: none
+
+    # Generate key-pair acting as CA
+    $ ssh-keygen -f vyos-ssh-ca.key
+
+    # Generate key for user: vyos_testca
+    $ ssh-keygen -f vyos_testca  -C "vyos_tesca@vyos.net"
+
+    # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca
+    # with a key lifetime of two weeks - after which the key is unusable
+    $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub
+
+    $ set system login user vyos_testca
+    $ set pki openssh test_ca public key AAAAB3N.....
+    $ set pki openssh test_ca public type ssh-rsa
+    $ set service ssh trusted-user-ca test_ca
+
+  You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com``
 
-  Specify the name of the CA certificate that will be used to verify the user
-  certificates.
-  You can use it by adding the CA certificate with the PKI command.
 
 Dynamic-protection
 ==================