From 6967fe9b4fd06e643124867ab8997bfe612c13c7 Mon Sep 17 00:00:00 2001 From: Niall Sheridan Date: Wed, 20 Apr 2016 12:27:07 +0100 Subject: Update README.md --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'README.md') diff --git a/README.md b/README.md index 42bdb06..41c9497 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ The client is configured using command-line flags. The server is configured using a JSON configuration file - [example](exampleconfig.json). For the server you _need_ the following: -- A new ssh private key. Generate one in the usual way using `ssh-keygen -f ssh_ca`. At this time Cashier supports RSA and ECDSA keys +- A new ssh private key. Generate one in the usual way using `ssh-keygen -f ssh_ca` - this is your CA signing key. At this time Cashier supports RSA and ECDSA keys. - Google OAuth credentials which you can generate at the [Google Developers Console](https://console.developers.google.com). You also need to set the callback URL here. @@ -64,5 +64,12 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`. - `max_age`: string. If set the server will not issue certificates with an expiration value longer than this, regardless of what the client requests. Must be a valid Go [`time.Duration`](https://golang.org/pkg/time/#ParseDuration) string. - `permissions`: array of string. Actions the certificate can perform. See the [`-O` option to `ssh-keygen(1)`](http://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1) for a complete list. +## Configuring ssh +The client needs no special configuration, just a running ssh-agent. +The ssh server needs to trust the public part of the CA signing key. Add something like the following to your sshd_config: +``` +TrustedUserCAKeys /etc/ssh/ca.pub +``` + Note: Cashier does not implement signing host keys at this time. -- cgit v1.2.3