dynamic new user with ssh certbased auth

[chomezski]

i understand that in order for cert based auth to work the user needs to exist on the target host - are there any recommendations with regards to new user creation when using cert based auth for ssh? i've tried unsuccessfully to use pam_exec.so to trigger a shell script to create the user - any other thoughts?

[maraino]

Hi @chomezski: The open-source implementation provides a "rudimentary" way to create new users on the fly. Although it works this is not "supported" and the documentation for it was removed

The way it works is that when you create a new certificate you can create at the same time a provisioner certificate that contains a useradd command, although this is configurable.

For example, if I run step ssh certificate with the --add-user flag:

$ step ssh certificate -f --add-user [email protected] jane
✔ Provisioner: [email protected] (JWK) [kid: xxx]
✔ Please enter the password to decrypt the provisioner key:
✔ CA: https://localhost:9000
Please enter the password to encrypt the private key:
✔ Private Key: jane
✔ Public Key: jane.pub
✔ Certificate: jane-cert.pub
✔ SSH Agent: yes
✔ Add User Private Key: jane-provisioner
✔ Add User Public Key: jane-provisioner.pub
✔ Add User Certificate: jane-provisioner-cert.pub

An extra certificate has been created jane-provisioner-cert.pub if you inspect that certificate it has the following:

$ step ssh inspect jane-provisioner-cert.pub
jane-provisioner-cert.pub:
        Type: [email protected] user certificate
        Public key: ECDSA-CERT SHA256:V790HO7L26pQW45BKI19+SQ3bl9mlFHkdZk9Rj191PM
        Signing CA: ECDSA SHA256:rmAjupXaId7QQode/ThbhY/t427k9EKtTfNQHn5AkPk
        Key ID: "jane-provisioner"
        Serial: 17352647550378328810
        Valid: from 2020-10-05T18:24:20 to 2020-10-06T10:25:20
        Principals:
                provisioner
        Critical Options:
                force-command sudo useradd -m jane; nc -q0 localhost 22
        Extensions: (none)

If this certificate is used, it will run as the user provisioner the command sudo useradd -m jane; nc -q0 localhost 22.This creates the user jane and proxy to a new ssh connection. This of course requires the provisioner user in the host, as well as sudo permissions. Both the command and the user are configurable adding "addUserPrincipal" and "addUserCommand" in the "ssh" block of the ca.json the default command is:

sudo useradd -m <principal>; nc -q0 localhost 22

There, the <principal> is replaced with the username used as principal in the other certificate.

There's a small guide on how to set up this in the deleted code of this change smallstep/cli@5a8c655

Improved support this is available in our SaaS offering, that you can sign up and use for free within some limits https://smallstep.com