Versions Compared

Version Old Version 3 New Version 4
Changes made by

Bret Giddings

Bret Giddings

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Lines 5 -11
    This match block only applies to hosts not matching either the CA signing server or enrolment server. For those hosts that end up matching, the signing script specified is run. This checks whether the signed key associated with the private key file given as its first argument is still valid - e.g. still in date. If it isn’t, it’ll the signing script can use the second argument (username@sshca.<domain>) to resign the key.
    Note that if this returns a non-zero code, meaning it failed, the following 4 settings are applied. These will cause the subsequent connection with the unsigned key to fail in a graceful way.
    NOTE: The negated hosts (sshca and sshenrol) are to prevent this match block applying to these special hosts - you may want to add other here that don’t utilise signed certificates.
    NOTE: The signkey script takes two arguments - the name of the public key that needs signing and the command required to get the key signed - so modify both as necessary and in particular the user - however, if using our standard installer, these will be set to correct values.

  • Lines 14-15
    This match block runs a script that attempts to retreive the hostkey from the server you want to connect to. If that fails, it sets the ProxyJump setting to force the connection to go via the named gateway. It is expected that this will have negated hosts for itself and any hosts required for signing or enrolling.
    NOTE: The ProxyJump will need to be changed to suit the local environent - however, if using our standard installer, these will be set to correct values.

  • Lines 20 - end-of-file
    This match block provides any default settings you wish to apply to hosts in the given domain.
    Note that if you wish to provide per-host defaults that conflict with the domain wide settings, it would be better to do this in the main configuration file before the Match Host *.essex.ac.uk section.
    NOTE: It is likely that both User and IdentityFile will need to be changed for the user - however, if using our standard installer, these will be set to correct values.

...