SSH Certificates

Adding ca key on samplehost

/etc/ssh/sshd_config (on samplehost):

TrustedUserCAKeys /etc/ssh/ca_keyfile

/etc/ssh/ca_keyfile (on samplehost):

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEjTruHcldzMaimGiVw8A5zSuHmdRtze8L46L/gEJD8 Sample Public Key (used as CA)
...more may be added

Signing a user key (on admins workstation):

ssh-keygen -s <ca private key file> -I 'Sven Luthi' -n root,sven,othername -V '+1h' -u <user public key file with key to sign>
Parameter Funktion
-s Private key coresponding to the public key added to /etc/ssh/ca_keys on samplehost
-I A String identifying this certificate. Usually putting a persons name for whome the certificate was signed is a good idea. Note that this string is logged on the target system when the key is used.
-n A comma-seperated list of usernames this certificate can be used to log in as.
-V Sets the expiry or timeframe when the certificate is valid. E.g '+1w1d5h'-> expires in 8 days and 5 hours from now. Or '+1d:+1d2h' means the certificate will be valid 24 hours from now and expires 26 hours from now.