step ssh without sudo

[LecrisUT]

I've recently found that in the authorized_keys you can specify cert-authority to specify a CA used to sign user certificate, which from what I can find would be a user specific of TrustedUserCAKeys. I have not had luck making it work yet, I hope somebody else has tried it and can share some insight for it.

[maraino]

Hi @LecrisUT:

The line looks like:

@cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLM+CBRbFqpYqjz+wjfnSsgLyyTPSphBtqcZ2TgXkrtNledIfAUsv1yX9B/aq3yycaaDbzU/EWJXHm1I5eoc1E=

Where ecdsa-sha2-nistp256 AAAA... is the public key used to sign host certificates. You can use step ssh config to automatically configure the user so a file with this is added to $(step path)/ssh/known_host and a config included from ~/.ssh/config. is added to $(step path)/ssh/config.

You might want to modify the Match rule in that last file, the open source version matches the hosts that have signed an SSH key with it.

[LecrisUT]

Ok, I've found my issue in that I didn't have the relevant principals from .Token.preferred_username. Everything works as intended, just that in some versions of sshd the @cert-authority * is not recognized instead a plain cert-authority needs to be used.

@tashian , has this topic been covered in the docs/blogs? In your linked discussion the poster mentioned a shared HPC doc, but I couldn't find it.

I see that there is quite some cli management being planned for the step-ca server. Maybe later some management of the client side configuration can be done as well to aid with the .step/ssh/config part.

I am thinking of how could step-ca be integrated for the user side with authorized_keys. Registering and adding an ssh-host to the step-ca server would still be possible for the non-sudo user, but I am not aware if sshd is able to add this encryption key for individual users. I do not see if there are security issues in doing so. But on a side-note why should the ssh-host need to have its certificate signed by the same CA as the user? If the ssh-host has its own certificate management, not knowing an alternative let's say that it is publicly signed via LetsEncrypt, and/or has some DNS certificate setup, wouldn't that be enough for the users to trust the host? On the step client side, the user would only have to add the CA server that the server is using to sign, or if lack there of, add the host's public key for step ssh check-host and KnownHostsCommand to pick up on.

[maraino]

I see that there is quite some cli management being planned for the step-ca server. Maybe later some management of the client side configuration can be done as well to aid with the .step/ssh/config part.

We are first focusing on provisioners, but yes the plan is to be able to configure as much as possible using the cli.
Currently, the templates for .step/ssh/config can be manually configured by editing the following files in step-ca:

$ ls ~/.step/templates/ssh
ca.tpl          config.tpl      include.tpl     known_hosts.tpl sshd_config.tpl

But on a side-note why should the ssh-host need to have its certificate signed by the same CA as the user?

By default, SSH host certificates and SSH user certificates are signed by different keys.

If the ssh-host has its own certificate management, not knowing an alternative let's say that it is publicly signed via LetsEncrypt, and/or has some DNS certificate setup, wouldn't that be enough for the users to trust the host? On the step client side, the user would only have to add the CA server that the server is using to sign, or if lack there of, add the host's public key for step ssh check-host and KnownHostsCommand to pick up on.

SSH and TLS use different types of certificates and trust a host in a different way. So it's not possible to use X.509 PKI (TLS) to trust an SSH certificate from a host. However, it's possible, to distribute public keys using DNS TXT records, but I've never seen it before, or use the same key to sign X.509 and SSH certificates, but in both cases, you will need custom tools to integrate that into SSH.

And as you mention the future KnownHostsCommand would make possible to build those custom tools, but that would be out of the scope of step. Step can be used to for example to extract the intermediate CA in TLS and convert that to the SSH format.

[tashian]

See also: #443