updates to ssh cert stuff

ddpbsd · ddpbsd · commit 3020d04a01f4 · 2025-07-02T12:39:49.000-04:00
diff --git a/_sources/misc/mynet/pine.rst.txt b/_sources/misc/mynet/pine.rst.txt
@@ -0,0 +1,24 @@
+====
+pine
+====
+
+Stuff for pine.
+
+fstab
+^^^^^
+
+.. code-block:: console
+
+   e344b2be6eb2cce4.b none swap sw
+   e344b2be6eb2cce4.a / ffs rw 1 1
+   e344b2be6eb2cce4.k /home ffs rw,nodev,nosuid 1 2
+   e344b2be6eb2cce4.d /tmp ffs rw,nodev,nosuid 1 2
+   e344b2be6eb2cce4.f /usr ffs rw,nodev 1 2
+   e344b2be6eb2cce4.g /usr/X11R6 ffs rw,nodev 1 2
+   e344b2be6eb2cce4.h /usr/local ffs rw,wxallowed,nodev 1 2
+   e344b2be6eb2cce4.e /var ffs rw,nodev,nosuid 1 2
+   e344b2be6eb2cce4.j /var/log-backup ffs rw,nodev,nosuid 1 2
+   swap /var/log mfs rw,nodev,nosuid,-s=200m,-P=/var/log-backup 0 0
+   77a302db418c8098.d /usr/src ffs rw,nodev,softdep,noauto 0 0
+   77a302db418c8098.e /usr/ports ffs rw,nodev,softdep,noauto 0 0
+
diff --git a/_sources/openssh/certificates.rst.txt b/_sources/openssh/certificates.rst.txt
@@ -53,7 +53,7 @@ Add the following to the server's `sshd_config` and make sure to load the privat
 
 .. code-block:: console
 
-   HostCertificate /etc/ssh/ssh_host_key.pub
+   HostCertificate /etc/ssh/ssh_host_key-cert.pub
    HostKey /etc/ssh/ssh_host_key
 
 .. warning::
@@ -62,6 +62,17 @@ Add the following to the server's `sshd_config` and make sure to load the privat
    For instance, I have the IP address for a host in the `Hostname` field, so SSHing to the system's hostname causes a mismatch.
    Commenting out that configuration option "fixes" the issue (as would adding the IP address to the principals).
 
+check the host cert
+^^^^^^^^^^^^^^^^^^^
+
+Add the following to your `known_hosts` file to specify the public CA cert as one to use as a `cert-authority`:
+
+.. code-block:: console
+
+   @cert-authority HOSTNAME ssh-ed25519 ...
+
+Change `HOSTNAME` to something that identifies the hosts that will use that CA.
+
 create a user key and sign it
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -82,6 +93,17 @@ And sign it:
 * `-n USERNAME` the accounts the user can use to login with
 * `-V 1d` is the validity time, a short one is preferable
 
+adjust the user's config
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+`CertificateFile` and `IdentityFile` should be added to your `.ssh/config` file for the appropriate host.
+These will be passed to the server for authentication and verification.
+
+.. code-block:: console
+
+   CertificateFile ~/.ssh/id_ed25591-cert.pub
+   IdentityFile ~/.ssh/id_ed25519
+
 check the options that a key was signed with
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -98,5 +120,5 @@ Add the following to the `/etc/sshd_config`:
 
    TrustedUserCAKeys /etc/ssh/user_ca.pub
 
-Of course, you'll have to copy that file to that location.
+Of course, you'll have to copy this CA file to the specified location.
 
diff --git a/_sources/operating_systems/linux/systemd/systemctl.rst.txt b/_sources/operating_systems/linux/systemd/systemctl.rst.txt
@@ -7,10 +7,20 @@ show enabled but not running services
 
 `failed` is probably the state I'm really curious about.
 
-```
-systemctl list-units -all --state=inactive
-systemctl list-units -all --state=failed
-```
+.. code-block:: console
+
+   systemctl list-units -all --state=inactive
+   systemctl list-units -all --state=failed
+
+check if a service is running
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: console
+
+   systemctl is-active SERVICENAME
+   ## or quietly
+   systemctl is-active --quiet SERVICENAME
+
 
 systemctl enable SOMETHING.something: "Failed to execute operation: No such file or directory"
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/misc/mynet/pine.html b/misc/mynet/pine.html
@@ -0,0 +1,115 @@
+<!DOCTYPE html>
+
+<html lang="en" data-content_root="../../">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+
+    <title>pine &#8212; notes 0.1 documentation</title>
+    <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=03e43079" />
+    <link rel="stylesheet" type="text/css" href="../../_static/basic.css?v=b08954a9" />
+    <link rel="stylesheet" type="text/css" href="../../_static/alabaster.css?v=27fed22d" />
+    <script src="../../_static/documentation_options.js?v=2709fde1"></script>
+    <script src="../../_static/doctools.js?v=9bcbadda"></script>
+    <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
+    <link rel="index" title="Index" href="../../genindex.html" />
+    <link rel="search" title="Search" href="../../search.html" />
+   
+  <link rel="stylesheet" href="../../_static/custom.css" type="text/css" />
+  
+
+  
+  
+
+  </head><body>
+  
+
+    <div class="document">
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          
+
+          <div class="body" role="main">
+            
+  <section id="pine">
+<h1>pine<a class="headerlink" href="#pine" title="Link to this heading">¶</a></h1>
+<p>Stuff for pine.</p>
+<section id="fstab">
+<h2>fstab<a class="headerlink" href="#fstab" title="Link to this heading">¶</a></h2>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">e344b2be6eb2cce4.b none swap sw</span>
+<span class="go">e344b2be6eb2cce4.a / ffs rw 1 1</span>
+<span class="go">e344b2be6eb2cce4.k /home ffs rw,nodev,nosuid 1 2</span>
+<span class="go">e344b2be6eb2cce4.d /tmp ffs rw,nodev,nosuid 1 2</span>
+<span class="go">e344b2be6eb2cce4.f /usr ffs rw,nodev 1 2</span>
+<span class="go">e344b2be6eb2cce4.g /usr/X11R6 ffs rw,nodev 1 2</span>
+<span class="go">e344b2be6eb2cce4.h /usr/local ffs rw,wxallowed,nodev 1 2</span>
+<span class="go">e344b2be6eb2cce4.e /var ffs rw,nodev,nosuid 1 2</span>
+<span class="go">e344b2be6eb2cce4.j /var/log-backup ffs rw,nodev,nosuid 1 2</span>
+<span class="go">swap /var/log mfs rw,nodev,nosuid,-s=200m,-P=/var/log-backup 0 0</span>
+<span class="go">77a302db418c8098.d /usr/src ffs rw,nodev,softdep,noauto 0 0</span>
+<span class="go">77a302db418c8098.e /usr/ports ffs rw,nodev,softdep,noauto 0 0</span>
+</pre></div>
+</div>
+</section>
+</section>
+
+
+          </div>
+          
+        </div>
+      </div>
+      <div class="sphinxsidebar" role="navigation" aria-label="Main">
+        <div class="sphinxsidebarwrapper">
+<h1 class="logo"><a href="../../index.html">notes</a></h1>
+
+
+
+
+
+
+
+
+<h3>Navigation</h3>
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="../../db/index.html">databases</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../elk/index.html">elastic stuff</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../openssh/index.html">OpenSSH</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../operating_systems/index.html">Operating Systems</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../ossec/index.html">OSSEC</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../ssl/index.html">ssl</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../stupid_unix_tricks/index.html">Stupid Unix Tricks</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../tools/index.html">Tools</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../vendor_stuff/index.html">Vendor Stuff</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../index.html">misc</a></li>
+</ul>
+
+<div class="relations">
+<h3>Related Topics</h3>
+<ul>
+  <li><a href="../../index.html">Documentation overview</a><ul>
+  </ul></li>
+</ul>
+</div>
+<search id="searchbox" style="display: none" role="search">
+  <h3 id="searchlabel">Quick search</h3>
+    <div class="searchformwrapper">
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
+      <input type="submit" value="Go" />
+    </form>
+    </div>
+</search>
+<script>document.getElementById('searchbox').style.display = "block"</script>
+        </div>
+      </div>
+      <div class="clearer"></div>
+    </div>
+        <!-- your html code here -->
+	<div class="footer">
+		<em>This information has a good chance of being wrong, inconsistent, out of date, or just bad. Use at your own risk.
+		Feel free to notify me of any issues though.</em>
+	</div>
+
+
+  </body>
+</html>
diff --git a/objects.inv b/objects.inv
diff --git a/openssh/certificates.html b/openssh/certificates.html
@@ -74,7 +74,7 @@ <h2>create a host key and sign it<a class="headerlink" href="#create-a-host-key-
 </pre></div>
 </div>
 <p>Add the following to the server’s <cite>sshd_config</cite> and make sure to load the private key as well:</p>
-<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">HostCertificate /etc/ssh/ssh_host_key.pub</span>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">HostCertificate /etc/ssh/ssh_host_key-cert.pub</span>
 <span class="go">HostKey /etc/ssh/ssh_host_key</span>
 </pre></div>
 </div>
@@ -85,6 +85,14 @@ <h2>create a host key and sign it<a class="headerlink" href="#create-a-host-key-
 Commenting out that configuration option “fixes” the issue (as would adding the IP address to the principals).</p>
 </div>
 </section>
+<section id="check-the-host-cert">
+<h2>check the host cert<a class="headerlink" href="#check-the-host-cert" title="Link to this heading">¶</a></h2>
+<p>Add the following to your <cite>known_hosts</cite> file to specify the public CA cert as one to use as a <cite>cert-authority</cite>:</p>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">@cert-authority HOSTNAME ssh-ed25519 ...</span>
+</pre></div>
+</div>
+<p>Change <cite>HOSTNAME</cite> to something that identifies the hosts that will use that CA.</p>
+</section>
 <section id="create-a-user-key-and-sign-it">
 <h2>create a user key and sign it<a class="headerlink" href="#create-a-user-key-and-sign-it" title="Link to this heading">¶</a></h2>
 <p>Generate the key as usual:</p>
@@ -102,6 +110,15 @@ <h2>create a user key and sign it<a class="headerlink" href="#create-a-user-key-
 <li><p><cite>-V 1d</cite> is the validity time, a short one is preferable</p></li>
 </ul>
 </section>
+<section id="adjust-the-user-s-config">
+<h2>adjust the user’s config<a class="headerlink" href="#adjust-the-user-s-config" title="Link to this heading">¶</a></h2>
+<p><cite>CertificateFile</cite> and <cite>IdentityFile</cite> should be added to your <cite>.ssh/config</cite> file for the appropriate host.
+These will be passed to the server for authentication and verification.</p>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">CertificateFile ~/.ssh/id_ed25591-cert.pub</span>
+<span class="go">IdentityFile ~/.ssh/id_ed25519</span>
+</pre></div>
+</div>
+</section>
 <section id="check-the-options-that-a-key-was-signed-with">
 <h2>check the options that a key was signed with<a class="headerlink" href="#check-the-options-that-a-key-was-signed-with" title="Link to this heading">¶</a></h2>
 <div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">ssh-keygen -L -f USER-user-key.pub</span>
@@ -114,7 +131,7 @@ <h2>add the user_ca.pub file to the server’s sshd_config<a class="headerlink"
 <div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">TrustedUserCAKeys /etc/ssh/user_ca.pub</span>
 </pre></div>
 </div>
-<p>Of course, you’ll have to copy that file to that location.</p>
+<p>Of course, you’ll have to copy this CA file to the specified location.</p>
 </section>
 </section>
 
diff --git a/openssh/index.html b/openssh/index.html
@@ -59,7 +59,9 @@ <h1>OpenSSH<a class="headerlink" href="#openssh" title="Link to this heading">¶
 <li class="toctree-l1"><a class="reference internal" href="certificates.html">certificate authentication</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="certificates.html#create-the-ca-keypair">create the CA keypair</a></li>
 <li class="toctree-l2"><a class="reference internal" href="certificates.html#create-a-host-key-and-sign-it">create a host key and sign it</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certificates.html#check-the-host-cert">check the host cert</a></li>
 <li class="toctree-l2"><a class="reference internal" href="certificates.html#create-a-user-key-and-sign-it">create a user key and sign it</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certificates.html#adjust-the-user-s-config">adjust the user’s config</a></li>
 <li class="toctree-l2"><a class="reference internal" href="certificates.html#check-the-options-that-a-key-was-signed-with">check the options that a key was signed with</a></li>
 <li class="toctree-l2"><a class="reference internal" href="certificates.html#add-the-user-ca-pub-file-to-the-server-s-sshd-config">add the user_ca.pub file to the server’s sshd_config</a></li>
 </ul>
diff --git a/operating_systems/linux/systemd/index.html b/operating_systems/linux/systemd/index.html
@@ -46,6 +46,7 @@ <h1>systemd<a class="headerlink" href="#systemd" title="Link to this heading">¶
 </li>
 <li class="toctree-l1"><a class="reference internal" href="systemctl.html">systemctl</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="systemctl.html#show-enabled-but-not-running-services">show enabled but not running services</a></li>
+<li class="toctree-l2"><a class="reference internal" href="systemctl.html#check-if-a-service-is-running">check if a service is running</a></li>
 <li class="toctree-l2"><a class="reference internal" href="systemctl.html#systemctl-enable-something-something-failed-to-execute-operation-no-such-file-or-directory">systemctl enable SOMETHING.something: “Failed to execute operation: No such file or directory”</a></li>
 <li class="toctree-l2"><a class="reference internal" href="systemctl.html#bus-error-blah-blah">bus error blah blah</a></li>
 </ul>
diff --git a/operating_systems/linux/systemd/systemctl.html b/operating_systems/linux/systemd/systemctl.html
@@ -38,10 +38,18 @@ <h1>systemctl<a class="headerlink" href="#systemctl" title="Link to this heading
 <section id="show-enabled-but-not-running-services">
 <h2>show enabled but not running services<a class="headerlink" href="#show-enabled-but-not-running-services" title="Link to this heading">¶</a></h2>
 <p><cite>failed</cite> is probably the state I’m really curious about.</p>
-<p><code class="docutils literal notranslate"><span class="pre">`</span>
-<span class="pre">systemctl</span> <span class="pre">list-units</span> <span class="pre">-all</span> <span class="pre">--state=inactive</span>
-<span class="pre">systemctl</span> <span class="pre">list-units</span> <span class="pre">-all</span> <span class="pre">--state=failed</span>
-<span class="pre">`</span></code></p>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">systemctl list-units -all --state=inactive</span>
+<span class="go">systemctl list-units -all --state=failed</span>
+</pre></div>
+</div>
+</section>
+<section id="check-if-a-service-is-running">
+<h2>check if a service is running<a class="headerlink" href="#check-if-a-service-is-running" title="Link to this heading">¶</a></h2>
+<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">systemctl is-active SERVICENAME</span>
+<span class="gp">#</span><span class="c1"># or quietly</span>
+<span class="go">systemctl is-active --quiet SERVICENAME</span>
+</pre></div>
+</div>
 </section>
 <section id="systemctl-enable-something-something-failed-to-execute-operation-no-such-file-or-directory">
 <h2>systemctl enable SOMETHING.something: “Failed to execute operation: No such file or directory”<a class="headerlink" href="#systemctl-enable-something-something-failed-to-execute-operation-no-such-file-or-directory" title="Link to this heading">¶</a></h2>
diff --git a/searchindex.js b/searchindex.js
