SSH Certificate configuration
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	nepeat
	Feb 5 2024, 5:52 AM

Description

Overview

In a typical system with OpenSSH, the TrustedUserCAKeys and AuthorizedPrincipalsFile options can be used to permit SSH certificates to login to systems.

This request is to request the ability to configure the SSH server configurations needed to make SSH certificates work with VyOS.

Our background regarding this request is the ability to use SSH certificates to login to our VyOS hosts instead of fixed SSH keys or fixed passwords. The ability to login with certificates allows for keys to have a limited lifespan that is not tied to the device's configuration.

Examples

Mapped to a file containing principal names, configured by sshd_config AuthorizedPrincipalsFile.

# set service ssh trusted-user-ca-key <location>

<location> can be a local path or a URL pointing at a remote file.
Example (Local): set service ssh trusted-user-ca-key /tmp/ssh-ca.pem
Example (Remote): set service ssh trusted-user-ca-key https://example.com/ssh-ca.pem

Mapped to sshd_config TrustedUserCAKeys.

# set system login user <username> authentication ca-principals <principal-name>

Adds a SSH certificate principal for a given user for authentication. Multiple principals are permitted for users.
Example: add system login user vyos authentication ca-principals netadmins

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Event Timeline

nepeat created this task.Feb 5 2024, 5:52 AM

Viacheslav triaged this task as Wishlist priority.Feb 5 2024, 8:10 AM

pasik added a subscriber: pasik.Feb 5 2024, 8:39 AM