tyla@e32:~$ mkdir ca
tyla@e32:~$ cd ca
tyla@e32:~/ca$ ssh-keygen -t rsa -f ca_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca_key
Your public key has been saved in ca_key.pub
The key fingerprint is:
SHA256:Pt2Cios3FkNLU770czquXMVk99Fu2ksJwr8IIPRVJNc tyla@e32
The key's randomart image is:
+---[RSA 3072]----+
| ..+. |
| . + E . |
| + .o . . .|
| = + .+.. . o |
| o = =S oo .. o|
| + o.++..o .+.|
| o ==o ...o.|
| .+o oo.... o .|
| .ooo+o.. . . . |
+----[SHA256]-----+
tyla@e32:~/ca$ ll
total 16
drwxrwxr-x 2 tyla tyla 4096 Oct 7 17:41 ./
drwxr-x--- 47 tyla tyla 4096 Oct 7 17:40 ../
-rw------- 1 tyla tyla 2590 Oct 7 17:41 ca_key
-rw-r--r-- 1 tyla tyla 562 Oct 7 17:41 ca_key.pub
ca_key အဆင်သင့်ဖြစ်ပြီဆိုတာနဲ့ ca_key.pub public key file ကို server ရဲ့ /etc/ssh/ directory မှာသွားထည့်ပေးပြီး၊ /etc/ssh/sshd_config file ထဲမှာ TrustedUserCAKeys /etc/ssh/ca_key.pub ဆိုတဲ့ဟာနောက်ဆုံးမှာသွားထည့်ပေးလိုက်ပါ။
tyla@e32:~/ca$ scp ca_key.pub ubuntu@10.93.72.126:
The authenticity of host '10.93.72.126 (10.93.72.126)' can't be established.
ED25519 key fingerprint is SHA256:22zfeaYsF1TN9/zLvnxzF/niHzAe/sxb8R+pRt0cn+M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.93.72.126' (ED25519) to the list of known hosts.
ca_key.pub 100% 562 1.3MB/s 00:00
tyla@e32:~/ca$ lxc exec server bash
root@server:~# cp /home/ubuntu/ca_key.pub /etc/ssh/
root@server:~# cd /etc/ssh
root@server:/etc/ssh# ll
total 56
drwxr-xr-x 4 root root 15 Oct 7 06:53 ./
drwxr-xr-x 88 root root 176 Oct 7 06:36 ../
-rw-r--r-- 1 root root 562 Oct 7 06:53 ca_key.pub
-rw-r--r-- 1 root root 505426 Jun 26 13:11 moduli
-rw-r--r-- 1 root root 1650 Jun 26 13:11 ssh_config
drwxr-xr-x 2 root root 2 Jun 26 13:11 ssh_config.d/
-rw------- 1 root root 505 Oct 7 06:35 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 173 Oct 7 06:35 ssh_host_ecdsa_key.pub
-rw------- 1 root root 399 Oct 7 06:35 ssh_host_ed25519_key
-rw-r--r-- 1 root root 93 Oct 7 06:35 ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 Oct 7 06:35 ssh_host_rsa_key
-rw-r--r-- 1 root root 565 Oct 7 06:35 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 342 Dec 7 2020 ssh_import_id
-rw-r--r-- 1 root root 3254 Jun 26 13:11 sshd_config
drwxr-xr-x 2 root root 3 Oct 2 14:33 sshd_config.d/
root@server:/etc/ssh# echo "TrustedUserCAKeys /etc/ssh/ca_key.pub" >> sshd_config
tyla@e32:~/ca$ ssh ubuntu@10.93.72.162
The authenticity of host '10.93.72.162 (10.93.72.162)' can't be established.
ED25519 key fingerprint is SHA256:AIOkykOtO/XyKsnw5XpU8o+rXCNqlkbtJ3yXusBeCcQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.93.72.162' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon Oct 7 07:20:12 UTC 2024
System load: 2.06
Usage of /home: unknown
Memory usage: 0%
Swap usage: 0%
Temperature: 37.0 C
Processes: 26
Users logged in: 0
IPv4 address for eth0: 10.93.72.162
IPv6 address for eth0: fd42:1162:4742:8be6:216:3eff:fef9:3b76
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@client:~$ vi .ssh/known_hosts
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm+MQ1z48TIUAlcC6XvBnTi6+wyYynpfVN1yxlt1JNrGCg8SCAgvvLaTYPLsriAfvq1mDql+tMqEJ6eATRdNPoqM4RQnrNpy7FCoGL6K4RUrVrlf7FAY6ImeCd07UtBWo5kXdajdBxGAKfk+JN8Dhe9iGIK981LxWlMFYiG81Y6uVFAwR3eqKUXK5Wr0WjGvZHjwzHjS/OCIVYnbontGOI9S8UU4K7wVGpv5+HH63OyRlnog2/66+/afRrL6vRyakMzqeC/Rv3h2vZ+MFq+GOM04O9Uv8TnZRpsAvFeSyPxEp2a7kxs7geDxeGuzdsyvQrn549NFIHiH2X7cdyxbqPzEavBvyLShtVrrY+sfgwLpzT5MoIzmj0CU2w9vJZQXi2VYY/9YxpRkN97Wcspjg7CZ5RdRugwAuiu/cMgV0OScm9qbymv8DF3sFdIFO6cxS96/fc5fxYp8LQoMVRMbjbRdllAodIH5qZ3FelF4BC9sGlzVSBiPOZI1nMX+g2MY0= tyla@e32
ubuntu@client:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ubuntu/.ssh/id_rsa
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:ZaRDoGIN0QGgW8YVswkGausUTo3XdEtpn+m/kSWWCpg ubuntu@client
The key's randomart image is:
+---[RSA 3072]----+
|oo*+=+.+o . |
|ooo=+=o+.o |
|o=*o=...+ = |
|+=+. o B . |
|.+ E .S + . |
|o ..o + |
| . ..o |
| .. |
| .. |
+----[SHA256]-----+
ubuntu@client:~$
logout
Connection to 10.93.72.162 closed.
tyla@e32:~/ca$ scp ubuntu@10.93.72.162:.ssh/id_rsa.pub .
id_rsa.pub 100% 567 1.2MB/s 00:00
tyla@e32:~/ca$ ll
total 28
drwxrwxr-x 2 tyla tyla 4096 Oct 7 18:27 ./
drwxr-x--- 47 tyla tyla 4096 Oct 7 18:06 ../
-rw------- 1 tyla tyla 2590 Oct 7 17:41 ca_key
-rw-r--r-- 1 tyla tyla 562 Oct 7 17:41 ca_key.pub
-rw-r--r-- 1 tyla tyla 567 Oct 7 18:27 id_rsa.pub
-rw-r--r-- 1 tyla tyla 1822 Oct 7 18:04 ssh_host_rsa_key-cert.pub
-rw-r--r-- 1 tyla tyla 565 Oct 7 17:47 ssh_host_rsa_key.pub
tyla@e32:~/ca$ ssh-keygen -s ca_key -I Client -n ubuntu -V +52w id_rsa.pub
Signed user key id_rsa-cert.pub: id "Client" serial 0 for ubuntu valid from 2024-10-07T18:27:00 to 2025-10-06T18:28:08
tyla@e32:~/ca$ ll
total 32
drwxrwxr-x 2 tyla tyla 4096 Oct 7 18:28 ./
drwxr-x--- 47 tyla tyla 4096 Oct 7 18:06 ../
-rw------- 1 tyla tyla 2590 Oct 7 17:41 ca_key
-rw-r--r-- 1 tyla tyla 562 Oct 7 17:41 ca_key.pub
-rw-r--r-- 1 tyla tyla 2016 Oct 7 18:28 id_rsa-cert.pub
-rw-r--r-- 1 tyla tyla 567 Oct 7 18:27 id_rsa.pub
-rw-r--r-- 1 tyla tyla 1822 Oct 7 18:04 ssh_host_rsa_key-cert.pub
-rw-r--r-- 1 tyla tyla 565 Oct 7 17:47 ssh_host_rsa_key.pub
tyla@e32:~/ca$ scp id_rsa-cert.pub ubuntu@10.93.72.162:.ssh/
id_rsa-cert.pub 100% 2016 6.0MB/s 00:00
အခုဆိုရင်တော့ client ကနေ server ထဲကို SSH နဲ့ certificate based authentication လုပ်ဖို့အတွက် အဆင်သင့်ဖြစ်ပါပြီ။ စမ်းကြည့်လိုက်ရအောင်။
tyla@e32:~/ca$ ssh ubuntu@10.93.72.162
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon Oct 7 07:29:15 UTC 2024
System load: 1.08
Usage of /home: unknown
Memory usage: 0%
Swap usage: 0%
Temperature: 40.0 C
Processes: 26
Users logged in: 0
IPv4 address for eth0: 10.93.72.162
IPv6 address for eth0: fd42:1162:4742:8be6:216:3eff:fef9:3b76
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
New release '24.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Oct 7 07:20:13 2024 from 10.93.72.1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@client:~$ ssh ubuntu@10.93.72.126
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon Oct 7 07:31:09 UTC 2024
System load: 1.27
Usage of /home: unknown
Memory usage: 0%
Swap usage: 0%
Temperature: 39.0 C
Processes: 26
Users logged in: 0
IPv4 address for eth0: 10.93.72.126
IPv6 address for eth0: fd42:1162:4742:8be6:216:3eff:fea1:d898
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
New release '24.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@server:~$
အထက်မှာမြင်ရတဲ့အတိုင်းပဲ client machine ကနေ remote server ထဲကို SSH certificate based authentication နဲ့ အောင်မြင်စွာဝင်လိုက်နိုင်ပါပြီ။ ဟုတ်ပြီ... နောက်တဆင့်အနေနဲ့ ပိုပြီး စိတ်ဝင်စားဖို့ကောင်းသွားအောင် နောက်ထပ် server တခုကိုအခုလက်ရှိ lab ထဲမှာထည့်တဲ့ လုပ်ငန်းစဉ်ကိုလေ့လာကြည့်ရအောင်။
Server တခုထပ်ပေါင်းထည့်ခြင်း လုပ်ငန်းစဉ်
နောက်ထပ်ပေါင်းထည့်မယ့် server ကိုတော့ server1 လို့ပဲအလွယ်ခေါ်လိုက်ရအောင်။ LXC container တခုကိုအောက်မှာ ဖော်ပြထားတဲ့အတိုင်း အရင်ဖန်တီးပေးလိုက်ပါ။
