user key signing:
ssh-keygen -I <certificate identity> \
- [-n <principals>] \
-s <user CA private key file> \
+ [-U] \
+ [-n <principals>] \
-V <start YYYYMMDD[HHMM]:end YYYYMMDD[HHMM]> \
[-z <serial number>] \
<public key file>
echo "@cert-authority *.useribm.hu <contents of host-CA.pub>" >>/etc/ssh/ssh_known_hosts
host key signing (as root on ssh servers):
- ssh-keygen -h \
- -I <fqdn> \
- [-n <fqdns>] \
+ ssh-keygen -I <fqdn> \
-s <host CA private key file> \
+ -h \
+ [-n <fqdns>] \
/etc/ssh/ssh_host_ed25519_key.pub
where
fqdns: comma (and no space) separated target hosts
#!/bin/sh
+ssh-add -l | grep --quiet --word-regexp "user-CA"
+if [ $? -ne 0 ]
+then
+ echo "user-CA must be added to ssh-agent (ssh-add user-CA)." >&2
+ exit 1
+fi
CERT_YEAR_QUARTER=$(echo $1 | grep '^20[0-9][0-9]q[1-4]$')
if [ -z "$CERT_YEAR_QUARTER" ]
then
ls *-cert.pub | sed 's/-cert.pub$//' | while read CAP_NAME
do
ssh-keygen -I ${CAP_NAME}-$CERT_YEAR_QUARTER \
- -n $CAP_NAME \
-s user-CA \
+ -U \
+ -n $CAP_NAME \
-V ${CERT_START_YYYYMMDD}:$CERT_END_YYYYMMDD \
${CAP_NAME}.pub
done
https://git.useribm.hu / user-ssh.git / commitdiff