Hi; I am attempting to follow the tutorial posted here as a guide.
I’ve created three LXC machines to practice with: ssh-ca, ssh-server, and ssh-client.
On ssh-ca I self-signed the “ssh_host_ed25519_key” yielding “ssh_host_ed25519_key-cert.pub”.
I transferred the ssh-server “ssh_host_ed25519_key.pub” to the ssh-ca machine as “server.pub”, signed it with the ssh-ca’s “ssh_host_ed25519_key” yielding “server-cert.pub”, and transferred this back to ssh-server as “ssh_host_ed25519_key-cert.pub”. I edited ssh-server’s “sshd_config” to add HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub and restarted the ssh-server sshd daemon (service ssh restart).
I transferred the ssh-ca “ssh_host_ed25519_key-cert.pub” to ssh-client and stuck it in ~/.ssh/known_hosts file as (roughly)
@cert-authority * email@example.com AAAAIHN ... QFRDQ== root@trusty-builds
However, attempting to log in from ssh-client to ssh-server (abbreviated ssh -v output):
debug1: Server host key: ED25519-CERT 85:46:34:5f:93:4c:d0:f5:c3:a4:14:87:38:b9:41:7d debug1: ssh_ed25519_verify: signature correct debug1: No matching CA found. Retry with plain key The authenticity of host '10.0.1.222 (10.0.1.222)' can't be established. ED25519 key fingerprint is 85:46:34:5f:93:4c:d0:f5:c3:a4:14:87:38:b9:41:7d. Are you sure you want to continue connecting (yes/no)?
What am I doing wrong? Is * a valid hostname wildcard? Is it possible I messed up one of my signing commands? How could I verify that the ssh-server cert is signed by the ssh-ca key?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.