Subcommand to fetch SSH root without configuring OpenSSH

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.

https://smallstep.com/cli

Apache License 2.0

3.67k stars 255 forks source link

Subcommand to fetch SSH root without configuring OpenSSH #212

Open mmalone opened 4 years ago

mmalone commented 4 years ago

We should have a subcommand that grabs the SSH client / host cert from the CA (using the fingerprint) without doing the OpenSSH configuration stuff. This would be useful if people want to manage that configuration themselves. It's also consistent with our X.509 stuff, where we have step ca root and step ca bootstrap.

maraino commented 4 years ago

@mmalone: we already have:

step ssh config --roots to get the public key used to sign user certificates.
step ssh config --roots --host to get the public key used to sign host certificates.

We can change these commands to something like step ssh root and step ssh root --host or something similar. What do you think?

mmalone commented 4 years ago

Nice! I didn't realize that. Let's leave it as is for the moment and make sure we get it documented. If people still aren't finding this option we might want to move it to a subcommand. This feature request came from someone using our last release, so they didn't have step ssh config. This is probably sufficient.

The only other reason to consider a separate subcommand is for consistency with the step ca command group. But the step ssh command group already has a bunch of inconsistencies (intentionally, since the API is designed to make sense from the perspective of an SSH user vs. the perspective of an X.509 PKI participant). Shrug.

dopey commented 3 years ago

@mmalone any movement here? Should we call it "done", "wont fix"?

maraino commented 3 years ago

I think it still makes sense to create a separate command for this. We should also keep the current functionality.

goldstar611 commented 1 year ago

We can change these commands to something like step ssh root and step ssh root --host or something similar. What do you think?

I think from the user perspective it would be nice to have consistency with the step ca root command. Since there's multiple roots that are not part of a chain something like step ssh root would display an error saying a parameter is needed, i.e. step ssh root --user or step ssh root --host. This would allow consistency for scripts that wrap step-cli.