Closed lungj closed 3 months ago
Hi @lungj, when you initialize a CA with step ca init --ssh
you can edit the templates that the CA will use:
$ cat templates/ssh/sshd_config.tpl
Match all
TrustedUserCAKeys /etc/ssh/ca.pub
HostCertificate /etc/ssh/{{.User.Certificate}}
HostKey /etc/ssh/{{.User.Key}}%
You can adjust this to your needs.
Hi @lungj, I'm going to close this issue, as you can update the template. Feel free to reopen if this doesn't solve your issue.
Hello!
Issue details
I'm adding smallstep to a preexisting environment. Some ssh users have ed25519 fingerprints for servers, others have ecdsa fingerprints, and some ssh clients (embedded systems) only support rsa.
When using
step ssh config --set Certificate=... --set Key=...
, the ssh server is reconfigured to only serve one certificate via one key type. If the key type doesn't match the fingerprint in users'known_hosts
file, they get a MITM warning -- or, if it's an unsupported key type, they can't log in.Why is this needed?
It eases transitions for users and provides backwards compatibility.
Implementation notes
If multiple
Certificate
andKey
keys can be set instep
,sshd_config
can do most of the rest of the work since it allows multipleHostCertificate
andHostKey
lines, e.g.,The ssh clients can then fall back as necessary.