dovholuknf
commented
1 year ago closes #24
Closed potto007 closed 1 year ago
dovholuknf
commented
1 year ago closes #24
dovholuknf
commented
1 year ago don't know if you use the released versions or build yourself. new tag here with binaries: https://github.com/openziti-test-kitchen/zssh/releases/tag/0.0.15
potto007
commented
1 year ago Thanks! I try to use released versions of projects when I can, and definitely need to before I demo this environment for architecture review.
Summary:
When attempting to login to sshd via a ziti tunnel from MacOS, receives a "certificate not trusted" error.
Steps to reproduce:
zssh enroll -c ~/.ziti -v ~/Downloads/zsshClient.jwt -o ~/.ziti/zssh.jsonzssh -d -i ~/.ssh/<pemfile> ec2-user@zsshServerExpected results:
Actual results:
Details:
I spent a couple of days familiarizing myself with the sdk codebase responsible for enrollment and for connection. I setup a debugger config in Jetbrains Goland to replay the events leading up to failure. I found that the Go std library was where the error was being thrown, due to the cert's signer not being recognized. Reading through the enrollment codebase, it appeared that remote CAs should be pulled down, but were only pulled when the client specified custom CAs. Given the behavior on Windows, and the behavior of the Ziti Desktop Edge client - whereby the zero trust PKI is inherently trusted - I changed the local copy of sdk-golang@v0.16.35/ziti/enroll/enroll.go to always pull down the CA bundle during enrollment. This immediately fixed the issue I was observing. Upon preparing to create a PR for sdk-golang, I found the same thing I had done was already performed a month ago with this commit: https://github.com/openziti/sdk-golang/pull/342/commits/574fcf1dda04e4840f8c7680356a9f7c55420601 made with this PR https://github.com/openziti/sdk-golang/pull/342. Given that fix, I merely had to update zssh to pull in the latest versions of the dependencies.
Fixed by:
https://github.com/openziti-test-kitchen/zssh/pull/24