Overview
In a typical system with OpenSSH, the TrustedUserCAKeys and AuthorizedPrincipalsFile options can be used to permit SSH certificates to login to systems.
This request is to request the ability to configure the SSH server configurations needed to make SSH certificates work with VyOS.
Our background regarding this request is the ability to use SSH certificates to login to our VyOS hosts instead of fixed SSH keys or fixed passwords. The ability to login with certificates allows for keys to have a limited lifespan that is not tied to the device's configuration.
Examples
Mapped to a file containing principal names, configured by sshd_config AuthorizedPrincipalsFile.
# set service ssh trusted-user-ca-key <location>
- <location> can be a local path or a URL pointing at a remote file.
- Example (Local): set service ssh trusted-user-ca-key /tmp/ssh-ca.pem
- Example (Remote): set service ssh trusted-user-ca-key https://example.com/ssh-ca.pem
Mapped to sshd_config TrustedUserCAKeys.
# set system login user <username> authentication ca-principals <principal-name>
- Adds a SSH certificate principal for a given user for authentication. Multiple principals are permitted for users.
- Example: add system login user vyos authentication ca-principals netadmins