SSH 配置¶
SSH CA¶
Public key:
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF8/jeEOQHE2Ui3c7VwxgHg6hGC1NaNsbqzT1N6PMwITYhHScukm60GE8T5d8UEjOKR0I5/FFqgXFIWDKXCHuOg+AH/eaAfkWNazqthBtZnlrQcA5qDsuZaUjZ4VkZlRi/ltAuvpRyvfrz8Q7IeZtq2bSpTZWcANlV3q0bO8CWdMNiuiA== ACSA CA
服务器配置¶
curl -fsSLo /etc/ssh/ssh_user_ca https://docs.acsalab.com/assets/ssh-ca
echo "TrustedUserCAKeys /etc/ssh/ssh_user_ca" >> /etc/ssh/sshd_config.d/acsa.conf
systemctl reload ssh.service
客户端配置¶
加入 known_hosts 文件:
~/.ssh/known_hosts
@cert-authority * ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF8/jeEOQHE2Ui3c7VwxgHg6hGC1NaNsbqzT1N6PMwITYhHScukm60GE8T5d8UEjOKR0I5/FFqgXFIWDKXCHuOg+AH/eaAfkWNazqthBtZnlrQcA5qDsuZaUjZ4VkZlRi/ltAuvpRyvfrz8Q7IeZtq2bSpTZWcANlV3q0bO8CWdMNiuiA== ACSA CA
签发证书¶
详细用法参考 LUG @ USTC Documentation 及 iBug 博客。
示例:曾用的为 nfs 服务器签发证书的命令
scp nfs:/etc/ssh/ssh_host_ecdsa_key.pub .
ssh-keygen -s ca \
-I nfs \
-h \
-n nfs,nfs.acsalab.com,222.195.72.127,2001:da8:d800:112::127,10.1.13.1 \
ssh_host_ecdsa_key.pub
scp ssh_host_ecdsa_key-cert.pub nfs:/etc/ssh/
ssh nfs 'systemctl reload ssh.service'
对应的 sshd 配置:
/etc/ssh/sshd_config.d/acsa.conf
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
TrustedUserCAKeys /etc/ssh/ssh_user_ca
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey
AllowGroups root sudo
示例:为 ibug 签发客户端证书的命令:
ssh-keygen -s ca \
-I iBug \
-n root,ibug \
-V -5m:+365d \
~/.ssh/id_rsa.pub
当使用 ~/.ssh/id_rsa 私钥登录时,SSH 会自动寻找 ~/.ssh/id_rsa-cert.pub 作为证书。
如果需要将证书放在其他位置或重命名时,也可以在 ~/.ssh/config 里指定 CertificateFile:
Host acsa-nfs
HostName nfs.acsalab.com
User root
IdentityFile ~/.ssh/id_rsa
CertificateFile ~/.ssh/acsa-cert.pub
Access control¶
To restrict SSH access to only certain people, use AllowUsers or AllowGroups (recommended) to configure the server. This is essentially whitelisting.
When using AllowGroups, make sure to include root and sudo so that the root user and system managers (sudoers) can always log in. For example:
/etc/ssh/sshd_config.d/acsa.conf
AllowGroups root sudo staff
User-group membership is configured in LDAP.
Similarly, blacklisting may be achieved with DenyUsers and DenyGroups. Note that Deny* is processed before Allow*, regardless of the order in the configuration file.