For purposes of this question, consider a LAN with 7 computers: 3 client machines, 3 server machines, 1 CA machine, and 3 users who might use any of the client machines to ssh to any of the server machines. (And, at least initially, I'm not concerned with ssh'ing in or out of the LAN to any "external" computer.)
1. I've read and/or received hints from a variety of sources that I can use one user certificate and one server certificate on such a LAN to authenticate ssh between any user on any client machine and any server on that LAN -- can someone confirm that?
Follow-up questions -- for the following I'm going to ask about user certificates -- if I get these answers for user certificates, I believe I can "extrapolate" them to server / host certificates.
(Aside -- reminding myself: user certificates are created by signing the public key of a user public keypair using the private key of the user CA keypair. Thus, with respect to user certificates, somewhere I must have at least one user keypair and one user CA keypair to create the user certificate.
2. To use one user certificate to allow any user on any client machine to access any server, I'm quite sure that I'd have to copy that user certificate to each client machine?
3. Also, to do that (to use one user certificate to allow any user on any client machine to access any server), would I also have to copy the user private key from the client machine from / on which I created the user certificate to each of the other client machines?
Note: I recognize that copying private keys to another machine is a security risk -- for the moment, for the purpose of learning, I don't want to consider that.
Aside: I recognize that I can limit which users can use a certificate by specifying users (principals) with the -n option when I create a user certificate.
Thanks!
1. I've read and/or received hints from a variety of sources that I can use one user certificate and one server certificate on such a LAN to authenticate ssh between any user on any client machine and any server on that LAN -- can someone confirm that?
Follow-up questions -- for the following I'm going to ask about user certificates -- if I get these answers for user certificates, I believe I can "extrapolate" them to server / host certificates.
(Aside -- reminding myself: user certificates are created by signing the public key of a user public keypair using the private key of the user CA keypair. Thus, with respect to user certificates, somewhere I must have at least one user keypair and one user CA keypair to create the user certificate.
2. To use one user certificate to allow any user on any client machine to access any server, I'm quite sure that I'd have to copy that user certificate to each client machine?
3. Also, to do that (to use one user certificate to allow any user on any client machine to access any server), would I also have to copy the user private key from the client machine from / on which I created the user certificate to each of the other client machines?
Note: I recognize that copying private keys to another machine is a security risk -- for the moment, for the purpose of learning, I don't want to consider that.
Aside: I recognize that I can limit which users can use a certificate by specifying users (principals) with the -n option when I create a user certificate.
Thanks!