Manage ssh host keys and certs

[arensb]

I'd like to add the ability to manage ssh host keys (e.g., ssh_host_rsa_key and ssh_host_rsa_key.pub) and especially host key certificates (e.g., ssh_host_rsa_key-cert.pub), but I can't find the place in the web console to do so, nor have I found the documentation on how to do so.

The ssh.config middleware call returns these keys and certs, but I don't know the best way to update them. By RTFSing, I've found a number of datastore calls that can probably do the trick, but since I can't find documentation for this, I suspect this is not the recommended way of doing it.

[crpb]

I think you have to update them in /data/freenas-v1.db.services_ssh.

If you look at the date in /usr/local/etc/ssh/ssh_host* you will likely see the current boot-time. Which service/call writes them out i never bothered to check tho.

[arensb]

Yes, that's the file that gets updated by the datastore calls that update ssh keys. But I'm looking for the recommended way of updating these keys. Actually, I'm more interested in updating the certs, but can't find any documentation or guidance on how to do this.

[crpb]

I don't think there is a recommended way at all. ...yet? If you look at https://github.com/truenas/middleware/blob/9c40c3960194ae0acf7a41ce5078794b700455ee/src/middlewared/middlewared/plugins/ssh.py#L104-L122 you can see that midclt call ssh.update won't accept those fields as far as i can make out.

If you have the cert-pub from your CA/ssh-keysign(8) you could just do an sqlite3 <<< "UPDATE ssh_config..." on /data/freenas-v1.db followed by a midclt call ssh.update '{}' which writes down the keys.

[darkfiberiru]

@crpb Can I ask use case of changing host keys?

[arensb]

In my case, I'd like to sign the host key with my site CA. In practice, this means generating a key on a secure machine, then installing it on the TrueNAS box. So this could apply to any site where the admins have a key distribution system and want to install their own keys.