Services and applications Using an SSH server
Digi TransPort WR Routers User Guide
164
Example: Use an SSL certificate authentication
This example gives the steps to set up a user called John Smith to use SSL certificate authentication
to log in to a TransPort device from a Linux host. His Linux username is jsmith and the username on
the TransPort device will be john.
This example uses ssh-keygen to create and sign keys and certificates and was created on an Ubuntu
Linux host using OpenSSH 6.6.1p1.
Note This example creates a CA private and public RSA key pair. If you already have an SSH CA admin
that can sign SSH keys, you do not need to generate your own CA key pair.
On the Linux host
1. Create a CA private and public RSA key pair in the .ssh directory. You will be prompted for a
passphrase. To prevent unauthorized use of the CA key, Digi recommends you configure a
passphrase for the key.
jsmith@ubuntu:~$ ssh-keygen-t rsa-f ~/.ssh/ca_user_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/ca_user_key.
Your public key has been saved in .ssh/ca_user_key.pub.
The key fingerprint is:
2048 47:f0:5f:62:0f:c2:3f:d3:89:a7:65:8d:f3:58:74:49 jsmith@ubuntu (RSA)
The key's randomart image is:
+--[ RSA 2048]----+
| . E |
| + . .|
| = + ..o|
| . = B =.|
| S . * X o|
| . B = |
| . . .|
| |
| |
+-----------------+
jsmith@ubuntu:~$
Note If you already have an SSH CA admin that can sign SSH keys, then you do not need to
generate your own CA key pair. Instead, the SSH user keys should be signed by the SSH CA
administrator.
2. Using the CA private key, sign John’s public user key, id_rsa.pub, which is usually auto-
generated in the .ssh directory. This generates a certificate file called id_rsa-cert.pub. You
must pass the TransPort device username to the ssh-keygen tool using the –n <principals>
option.
jsmith@ubuntu:~$ ssh-keygen -s ca_user_key –I jsmith–n john–V +52w .ssh/id_rsa.pub
Enter passphrase:
Signed user key .ssh/id_rsa-cert.pub: id "jsmith" serial 0 for john valid from 2018-03-19T14:41:00 to
2019-03-18T14:42:20
jsmith@ubuntu:~$
To Next Page
Loading...
