Trusting the SSH CA
This section describes how hosting entities can configure their systems to trust the SSH CA.
Public keys
The table below gives the values of the public keys of the SSH CAs and the URLs where these can be found.
| SSH CA | Public key URL | Public key |
|---|---|---|
| Production | https://sshca.my-eurohpc.eu/config | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEBSTaZ01FRexeIRcymsWd09r3U7iS4o+Q+QBEPDGZUQ |
| Staging | https://sshca.stg.my-eurohpc.eu/config | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8FiBTaQFwKUZVl28bgBMsBRt7RZ36yWlDjwLbRO7cO |
The public key URL provides the key using a simple JSON document.
{"PublicKey":"<SSH CA PUBLIC KEY>"}
Obtain the SSH CA public key
The public key can be obtained from the SSH CA configuration URL.
-
Download and extract the public key of the staging SSH CA to a file called efp-ssh-ca.pub.
curl -s https://sshca.stg.my-eurohpc.eu/config | jq -r '.PublicKey' > efp-ssh-ca.pub -
Check the value of the public key in the file.
cat efp-ssh-ca.pub -
Each line in this file can use a different trusted public key. When you are ready for production, add the public key of the production SSH CA.
curl -s https://sshca.my-eurohpc.eu/config | jq -r '.PublicKey' >> efp-ssh-ca.pub
If you operate different systems for testing and production, you may prefer to configure your test and production systems with the Staging and Production SSH CA public keys respectively.
Configure sshd
Next, sshd must be configured to trust the public key of the SSH CA(s).
- Copy the file containing the public key to the system’s
sshdconfiguration directory:
sudo cp efp-ssh-ca.pub /etc/ssh - Configure
sshdto trust the keys in the file:
echo "TrustedUserCAKeys /etc/ssh/efp-ssh-ca.pub" | sudo tee -a /etc/ssh/sshd_config > /dev/null