Host certificates don't set expiry

[awly]

Description

What happened:

Host SSH certs on all services (nodes, proxies, auth) have no ValidBefore timestamp set. The code explicitly allows this: https://github.com/gravitational/teleport/blob/master/lib/auth/native/native.go#L211-L215

What you expected to happen:

Host SSH certs should expire and periodically rotate.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

1. Log into any teleport host and run

   sqlite3 /var/lib/teleport/proc/sqlite.db 'select value from kv where key like "/ids/%"' | jq -r .spec.ssh_cert | base64 -d | ssh-keygen -L -f -

Server Details

• Teleport version (run teleport version): master

Which platform(s)

• [ ] Teleport Open Source
• [ ] Teleport Cloud
• [ ] Teleport Enterprise
• [ ] Other

Which component(s)

• [x] Server Access
• [ ] Kubernetes Access
• [ ] Application Access
• [ ] Database Access
• [ ] CLI Clients
• [ ] Web Clients
• [ ] Other

[dregin]

Hi, is there an ETA on a fix for this?

Thanks

[awly]

@dregin this is not scheduled yet. Is this issue urgent for you?

[alwaysastudent]

Hi there, is this something that will be solved? Is there a manual way to rotate the node certificates?

Also, what happens if we rotate the CA in auth server?

thank you.

[pschisa]

This causes security scanners to flag hosts with the following report

Certificate #0 ssh-rsa-cert-v01@openssh.com has expired.
Expiration: Wed 31 Dec 1969 11:59:59 PM GMT