0

I've just registered my website so people can accesses by HTTPS (and will be forced to, HSTS & redirects are part of configuration).

It's set up with GitLab. I can access my repositories via HTTPS just fine. I install a workstations's public certificate, generated with

ssh-keygen -t rsa -b 4096 -C "workstation name"

so I can push and pull files without a username/password combo.

Now I try to check out

git clone git@git.myserver.com:group/repository.git

And I get the old prompt

The authenticity of host 'git.myserver.com (#.#.#.#)' can't be established. RSA key fingerprint is SHA256:HAHANO17pLUsNE2KoVKweYDEwhJHu1l4ugaoT+fHdx0.

Are you sure you want to continue connecting (yes/no)?

...but wait. HTTPS needs no user confirmation, because the certificate isn't self-signed.

I keep reading "X.509" - and that Certification Authority looks to be the same thing as the CA that gave me my HTTPS cert. So, can I configure my server's SSH to use the same signed certificate (so I don't have to manually confirm and store the server's data in my workstations' known_hosts file)? And, how could I configure ssh/any generated files?

Sudrien
  • 3
  • 1

1 Answers1

3

First SSH and HTTPS are 2 different services running on 2 different ports (22 and respectively 443), using 2 different protocols (ssh and respectively HTTP over TLS/SSL). Those protocols are incompatible.

Moreover SSH is not using a PKI (public key infrastructure), but server authentication is based on hash signature that you should verify with the owner of the SSH server via an out of band channel (like seeing the admin that is in charge of the server).

There is a software to use PGP for a web of trust that you can use for SSH instead of X509 certificate based PKI. See: https://serverfault.com/a/60287

Community
  • 1
Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80