| |
@@ -750,7 +750,7 @@
|
| |
~]#{nbsp}systemctl restart sshd.service
|
| |
----
|
| |
|
| |
- . On user's systems. remove keys belonging to hosts from the `~/.ssh/known_hosts` file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
|
| |
+ . On user's systems, remove keys belonging to hosts from the `~/.ssh/known_hosts` file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
|
| |
|
| |
To test the host certificate, on a client system, ensure the client has set up the global `/etc/ssh/known_hosts` file, as described in xref:proc-Trusting_the_Host_Signing_Key[Trusting the Host Signing Key], and that the server's public key is not in the `~/.ssh/known_hosts` file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the [option]`-v` option to the SSH command to see logging information.
|
| |
|
| |
@@ -784,7 +784,7 @@
|
| |
@cert-authority principals="name1,name2" *.example.com ssh-rsa pass:quotes[_AAAAB5Wm._]
|
| |
----
|
| |
|
| |
- * On the server, create an `AuthorizedPrincipalsFile` file, either per user or glabally, and add the principles' names to the file for those users allowed to log in. Then in the `/etc/ssh/sshd_config` file, specify the file using the [command]#AuthorizedPrincipalsFile# directive.
|
| |
+ * On the server, create an `AuthorizedPrincipalsFile` file, either per user or globally, and add the principles' names to the file for those users allowed to log in. Then in the `/etc/ssh/sshd_config` file, specify the file using the [command]#AuthorizedPrincipalsFile# directive.
|
| |
|
| |
[[proc-Generating_a_User_Certificate]]
|
| |
.Generating a User Certificate
|
| |
@@ -964,7 +964,7 @@
|
| |
permit-user-rc
|
| |
----
|
| |
|
| |
- To vew a host certificate:
|
| |
+ To view a host certificate:
|
| |
|
| |
----
|
| |
~]# ssh-keygen -L -f /etc/ssh/ssh_host_rsa_key-cert.pub
|
| |
@@ -984,7 +984,7 @@
|
| |
[[sec-Revoking_an_SSH_CA_Certificate]]
|
| |
=== Revoking an SSH CA Certificate
|
| |
|
| |
- If a certificate is stolen, it should be revoked. Although OpenSSH does not provide a mechanism to distribute the revocation list it is still easier to create the revocation list and distribute it by other means then to change the CA keys and all host and user certificates previously created and distributed.
|
| |
+ If a certificate is stolen, it should be revoked. Although OpenSSH does not provide a mechanism to distribute the revocation list it is still easier to create the revocation list and distribute it by other means than to change the CA keys and all host and user certificates previously created and distributed.
|
| |
|
| |
Keys can be revoked by adding them to the `revoked_keys` file and specifying the file name in the `sshd_config` file as follows:
|
| |
|
| |