OpenSSH - SSH Certificates

Today I will be looking at using openssh key pairs to replace the openssh password, however with a bit of a difference. Instead of using just host and user keys, I will be configuring OpenSSH Server and OpenSSH client to use host and user certificates. Note: This is a step up from using SSH public and private keys for your host and users 00:00 - Intro 00:28 - Host & User Certificates for OpenSSH 00:48 - OpenSSH key management 01:44 - Public Key and Passwords 02:49 - Trust on First Use (TOFU) 05:13 - Best Practice - Use SSH Certificates 07:20 - Create Host CA keys 08:20 - Host Certificate 11:26 - Best Practice - Use Separate Host and User CAs 12:40 - Create User CA 13:06 - Generate or re-use existing Host Keys 13:40 - Sign the Host Certificates 14:48 - Copy Host Keys and Host Cert to SSH Server 15:53 - Configure SSH Clients to use Host Certificates 17:11 - User Keys 17:30 - Sign User Public Key 18:28 - Copy User Keys and User Cert to User Home Dir 18:47 - Configure TrustedUserCAKeys 19:34 - Other Best Practices 20:19 - What we covered 21:01 - Outro Support me on Patreon: https://www.patreon.com/DJWare Follow me: Twitter @djware55 Facebook:https://www.facebook.com/don.ware.7758 Discord: https://discord.gg/hQcShnh Gitlab: https://gitlab.com/djware27 "Brightly Fancy" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0 "Militaire Electronic" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Werq by Kevin MacLeod Link: https://incompetech.filmmusic.io/song/4616-werq License: https://filmmusic.io/standard-license Industrial Cinematic by Kevin MacLeod Link: https://incompetech.filmmusic.io/song/3909-industrial-cinematic License: https://filmmusic.io/standard-license Music Used in this video "NonStop" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0 License #ssh #openssh #opensshcert