From f5ee81a3bbf1c5a9e5c2b8f512d12f040fcaa3cd Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 29 May 2025 14:19:13 +0200 Subject: ssh: T6013: add example how to use a CA for system login --- docs/configuration/service/ssh.rst | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) (limited to 'docs/configuration/service/ssh.rst') diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 4fa44d3e..c9969aa6 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -129,11 +129,34 @@ Configuration ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, ``rsa-sha2-512-cert-v01@openssh.com`` -.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate +.. cfgcmd:: set service ssh trusted-user-ca + + Specify the name of the OpenSSH key-pair that acts as certificate authority + and will be used to verify user certificates. + + You can use it by adding the OpenSSH key-pair under the PKI subsystem. + + Example: + + .. code-block:: none + + # Generate key-pair acting as CA + $ ssh-keygen -f vyos-ssh-ca.key + + # Generate key for user: vyos_testca + $ ssh-keygen -f vyos_testca -C "vyos_tesca@vyos.net" + + # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca + # with a key lifetime of two weeks - after which the key is unusable + $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub + + $ set system login user vyos_testca + $ set pki openssh test_ca public key AAAAB3N..... + $ set pki openssh test_ca public type ssh-rsa + $ set service ssh trusted-user-ca test_ca + + You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com`` - Specify the name of the CA certificate that will be used to verify the user - certificates. - You can use it by adding the CA certificate with the PKI command. Dynamic-protection ================== -- cgit v1.2.3