Docs or examples for SSH CA Federation #63
Comments
|
@maraino I see in the ca config that we do have a way to add federated SSH public keys to the CA config - https://github.com/smallstep/certificates/blob/1d47a7284d9054469c887a3c7114e1630b9aab41/authority/ssh.go#L39. It appears that we're expecting an array for JWKs? Is that correct? Would you mind providing an example config, if you have one? And separately, why JWK? In the k8s provisioner we just use a PEM encoded block of keys. |
|
@dopey it should be something like: {
"ssh": {
"hostKey": "/Users/mariano/.step/secrets/ssh_host_ca_key",
"userKey": "/Users/mariano/.step/secrets/ssh_user_ca_key",
"keys": [
{
"type": "host",
"federated": true,
"key": {
"use": "sig",
"kty": "EC",
"kid": "nvgnR8wSzpUlrt_tC3mvrhwhBx9Y7T1WL_JjcFVWYBQ",
"crv": "P-256",
"alg": "ES256",
"x": "9KnGK45FNDa-SnaX22I4VGNNouOBMQ5aJg3V-qeKokY",
"y": "rB05Ucpxu_ur-OrUjJmoTcIqFc1Jrfar30j_hUvNgKY"
}
}
]
}
}In theory the federated keys will appear in the known_hosts or ca.pub depending on the type 'host' or 'user'. Federated If we're documenting this, I would make a note that this section is currently experimental and it might change. |
|
@maraino it could be more convenient to config federated ssh ca like the x509 ones, by passing a file in the format of ca.pub or known_hosts. |
|
@gzm55 it makes sense, at the same time, I also like not depending on files. |
|
We haven't focused yet on federated CAs, I'll guess we'll revamp this once we do. |
It seems that the step-ca supports ssh ca federation or rotating ssh ca in the source code, but there are no related documents nor examples. So we need more detail information about the operations, configs about how to rotate or federate multiple ssh ca.
The text was updated successfully, but these errors were encountered: