Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs or examples for SSH CA Federation #63

Open
gzm55 opened this issue Feb 15, 2021 · 5 comments
Open

Docs or examples for SSH CA Federation #63

gzm55 opened this issue Feb 15, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@gzm55
Copy link

gzm55 commented Feb 15, 2021

It seems that the step-ca supports ssh ca federation or rotating ssh ca in the source code, but there are no related documents nor examples. So we need more detail information about the operations, configs about how to rotate or federate multiple ssh ca.

@dopey dopey transferred this issue from smallstep/certificates Feb 15, 2021
@dopey dopey added enhancement New feature or request needs triage labels Feb 15, 2021
@dopey
Copy link
Contributor

dopey commented Feb 15, 2021

@maraino I see in the ca config that we do have a way to add federated SSH public keys to the CA config - https://github.com/smallstep/certificates/blob/1d47a7284d9054469c887a3c7114e1630b9aab41/authority/ssh.go#L39. It appears that we're expecting an array for JWKs? Is that correct? Would you mind providing an example config, if you have one?

And separately, why JWK? In the k8s provisioner we just use a PEM encoded block of keys.

@maraino
Copy link
Contributor

maraino commented Feb 23, 2021

@dopey it should be something like:

{
  "ssh": {
    "hostKey": "/Users/mariano/.step/secrets/ssh_host_ca_key",
    "userKey": "/Users/mariano/.step/secrets/ssh_user_ca_key",
    "keys": [
      {
        "type": "host",
        "federated": true,
        "key": {
          "use": "sig",
          "kty": "EC",
          "kid": "nvgnR8wSzpUlrt_tC3mvrhwhBx9Y7T1WL_JjcFVWYBQ",
          "crv": "P-256",
          "alg": "ES256",
          "x": "9KnGK45FNDa-SnaX22I4VGNNouOBMQ5aJg3V-qeKokY",
          "y": "rB05Ucpxu_ur-OrUjJmoTcIqFc1Jrfar30j_hUvNgKY"
        }
      }
    ]
  }
}

In theory the federated keys will appear in the known_hosts or ca.pub depending on the type 'host' or 'user'. Federated false right now is only useful when rotating certificates, but the use in the templates might not be totally correct.

If we're documenting this, I would make a note that this section is currently experimental and it might change.

@gzm55
Copy link
Author

gzm55 commented Feb 24, 2021

@maraino it could be more convenient to config federated ssh ca like the x509 ones, by passing a file in the format of ca.pub or known_hosts.

@maraino
Copy link
Contributor

maraino commented Feb 24, 2021

@gzm55 it makes sense, at the same time, I also like not depending on files.

@maraino
Copy link
Contributor

maraino commented Feb 24, 2021

We haven't focused yet on federated CAs, I'll guess we'll revamp this once we do.

@tashian tashian transferred this issue from smallstep/docs-old Mar 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants