search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.57k stars 247 forks source link

Allow duplicate `step ssh config --set` keys #1151

Closed lungj closed 3 months ago

lungj commented 3 months ago

Hello!

Issue details

I'm adding smallstep to a preexisting environment. Some ssh users have ed25519 fingerprints for servers, others have ecdsa fingerprints, and some ssh clients (embedded systems) only support rsa.

When using step ssh config --set Certificate=... --set Key=..., the ssh server is reconfigured to only serve one certificate via one key type. If the key type doesn't match the fingerprint in users' known_hosts file, they get a MITM warning -- or, if it's an unsupported key type, they can't log in.

Why is this needed?

It eases transitions for users and provides backwards compatibility.

Implementation notes

If multiple Certificate and Key keys can be set in step, sshd_config can do most of the rest of the work since it allows multiple HostCertificate and HostKey lines, e.g.,

Match all
    TrustedUserCAKeys /etc/ssh/ca.pub
    HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
    HostKey /etc/ssh/ssh_host_ed25519_key
    HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
    HostKey /etc/ssh/ssh_host_ecdsa_key

The ssh clients can then fall back as necessary.

maraino commented 3 months ago

Hi @lungj, when you initialize a CA with step ca init --ssh you can edit the templates that the CA will use:

$ cat templates/ssh/sshd_config.tpl
Match all
    TrustedUserCAKeys /etc/ssh/ca.pub
    HostCertificate /etc/ssh/{{.User.Certificate}}
    HostKey /etc/ssh/{{.User.Key}}%

You can adjust this to your needs.

maraino commented 3 months ago

Hi @lungj, I'm going to close this issue, as you can update the template. Feel free to reopen if this doesn't solve your issue.