1
General Discussion / SSH certificates
« on: December 07, 2023, 07:22:52 pm »
I'd like to migrate from existing static ssh rsa keys to ssh certificates, ideally with both user and host certificate validation. To do this on other unix-like hosts I add a few lines to sshd_config:
And then create the three files and restart sshd.
I'm coming from pfsense where there's an /etc/sshd_extra file that makes this easy enough. I'm unable to find a comparable file in OPNsense. I see that /usr/local/etc/ssh/sshd_config is generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc and assume that I could modify openssh.inc, but risk having my changes broken by upgrades. What's the right way to add some sshd config elements? And should the certificates and revocation list be stored in /etc/ssh or /usr/local/etc/ssh?
Code: [Select]
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /etc/ssh/user_ca.key.pub
RevokedKeys /etc/ssh/revocation_list.krl
And then create the three files and restart sshd.
I'm coming from pfsense where there's an /etc/sshd_extra file that makes this easy enough. I'm unable to find a comparable file in OPNsense. I see that /usr/local/etc/ssh/sshd_config is generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc and assume that I could modify openssh.inc, but risk having my changes broken by upgrades. What's the right way to add some sshd config elements? And should the certificates and revocation list be stored in /etc/ssh or /usr/local/etc/ssh?