Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to /etc/ssh/sshd_config
``HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub``
Restarted sshd using systemctl and added ``@cert-authority localhost ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to ~/.ssh/known_hosts
Finally, running
ssh -vv chlo@localhost 2>&1 | grep "Server"
debug1: Server host certificate: <email address hidden> SHA256:s2gq1xBSdetCarwElgQd0NbjJbiE3iLDxFtJqDhBFF4, serial 0 ID "localhost" CA ssh-rsa SHA256:v8ZgezKD9Zw/Ns8I0W6mfvxCAo9jv3WznUYAFhfPfCU valid from 2022-01-05T22:46:00 to 2023-01-04T22:47:11
debug2: Server host certificate hostname: localhost
Focal verification
[INSTALLED PKG VERSION] archive. ubuntu. com/ubuntu focal-proposed/main amd64 Packages dpkg/status 8.2p1-4ubuntu0. 3 500 gb.archive. ubuntu. com/ubuntu focal-updates/main amd64 Packages 8.2p1-4ubuntu0. 2 500 security. ubuntu. com/ubuntu focal-security/main amd64 Packages gb.archive. ubuntu. com/ubuntu focal/main amd64 Packages
chlo@BIG-HAL:~$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.2p1-4ubuntu0.4
Candidate: 1:8.2p1-4ubuntu0.4
Version table:
*** 1:8.2p1-4ubuntu0.4 400
400 http://
100 /var/lib/
1:
500 http://
1:
500 http://
1:8.2p1-4 500
500 http://
[PROCEDURE] rsa_key. pub``
Create the keys/certs needed
``ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca`` (no passphrase)
``ssh-keygen -f ssh_host_rsa_key -N '' -b 4096 -t rsa``
``ssh-keygen -s host_ca -I localhost -h -n localhost -V +52w ssh_host_
Copied ssh_host_rsa_key* files over to /etc/ssh and added the following to /etc/ssh/ sshd_config ssh_host_ rsa_key- cert.pub` `
``HostCertificate /etc/ssh/
Restarted sshd using systemctl and added ``@cert-authority localhost ssh-rsa abcdefg`` (ssh-rsa abcdefg is the contents of host_ca.pub) to ~/.ssh/known_hosts
Finally, running
ssh -vv chlo@localhost 2>&1 | grep "Server" s2gq1xBSdetCarw ElgQd0NbjJbiE3i LDxFtJqDhBFF4, serial 0 ID "localhost" CA ssh-rsa SHA256: v8ZgezKD9Zw/ Ns8I0W6mfvxCAo9 jv3WznUYAFhfPfC U valid from 2022-01-05T22:46:00 to 2023-01-04T22:47:11
debug1: Server host certificate: <email address hidden> SHA256:
debug2: Server host certificate hostname: localhost
which tells us the certificate was seen and used