Skip to content

SSH Configuration

OpenSSH Certificate Authority

Public key:

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF8/jeEOQHE2Ui3c7VwxgHg6hGC1NaNsbqzT1N6PMwITYhHScukm60GE8T5d8UEjOKR0I5/FFqgXFIWDKXCHuOg+AH/eaAfkWNazqthBtZnlrQcA5qDsuZaUjZ4VkZlRi/ltAuvpRyvfrz8Q7IeZtq2bSpTZWcANlV3q0bO8CWdMNiuiA== ACSA CA

Quick server install

curl -fsSLo /etc/ssh/ssh_user_ca https://docs.acsalab.com/assets/ssh-ca
echo "TrustedUserCAKeys /etc/ssh/ssh_user_ca" >> /etc/ssh/sshd_config.d/acsa.conf
systemctl reload ssh.service

Trust all ACSA servers

Add the following line to your known_hosts file:

~/.ssh/known_hosts
@cert-authority * ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF8/jeEOQHE2Ui3c7VwxgHg6hGC1NaNsbqzT1N6PMwITYhHScukm60GE8T5d8UEjOKR0I5/FFqgXFIWDKXCHuOg+AH/eaAfkWNazqthBtZnlrQcA5qDsuZaUjZ4VkZlRi/ltAuvpRyvfrz8Q7IeZtq2bSpTZWcANlV3q0bO8CWdMNiuiA== ACSA CA

Signing certificates

Please refer to LUG @ USTC Documentation and iBug's blog for details.

Access control

To restrict SSH access to only certain people, use AllowUsers or AllowGroups (recommended) to configure the server. This is essentially whitelisting.

When using AllowGroups, make sure to include root and sudo so that the root user and system managers (sudoers) can always log in. For example:

/etc/ssh/sshd_config.d/acsa.conf
AllowGroups root sudo staff

User-group membership is configured in LDAP.

Similarly, blacklisting may be achieved with DenyUsers and DenyGroups. Note that Deny* is processed before Allow*.