Ssh host certificates

[hallvoren]

Hi. I'm looking at using step ca for ssh, but your examples seems to be from AWS systems where you can use that to authenticate the hosts. Does anyone have any example on how to automatically and securely create and renew host keys for other hosts? Putting the password in scripts everywhere seems like a bad idea. For us most things run on vSphere.

[maraino]

Hi @hallvoren, step-ca supports different provisioners, most of them can be used for ssh certificates in hosts, see ssh-host-cert-sign column on https://smallstep.com/docs/step-ca/configuration#provisioners

AWS, Azure and GCP uses instance identity documents provided by the cloud service to authenticate with the CA.

JWK, X5C or K8sSA require a password or a token provided one time. JWK and X5C uses one time tokens, so they can only be used once. K8sSA token can be used multiple times.

In all of them after an initial authentication, a cron or a systemd timer can be enabled to renew the certificate, the renewal of the certificate can use the SSHPOP provisioner that only requires the previous certificate to renew itself.

As most of the provisioners, are based on tokens, you can also build a custom service that returns the appropriate token for each server, and authenticate them in a different way.

@hallvoren Do you know if vSphere supports identity documents? If they do, can you create an issue and point us to the docs.

[hallvoren]

Ah. Sounds good. That means I can renew this over sshpop only using the old certificate. That sounds like it could work well and without exposing any secrets that will make someone sign new host keys.

[hallvoren]

I could not find anything on google about identity documents from VMware, but maybe someone else in this forum knows.

[mmalone]

Hosts can obtain keys using several of the step-ca provisioners. See https://smallstep.com/docs/step-ca/configuration#provisioners for detailed docs on the various provisioners.

The default "JWK provisioner" that gets set up when you initialize step-ca is actually much more flexible than it appears at first. It looks like it's just password-based authentication, but it's not really. In fact, the password you're entering is being used to decrypt an encrypted private key that's escrowed by the CA. The decrypted private key is then used to sign a short-lived single-use token. That token is what's actually used for authentication.

If you don't want all of your hosts to have the password to decrypt the JWK private key, you can break this up into separate steps. You can have some trusted piece of infrastructure generate the token and pass it to the host to use.

To generate a single-use token to obtain an SSH host certificate you'd run:

step ca token <hostname> --ssh --host

To use the generated <token> to obtain a certificate on a hosts you'd run:

step ssh certificate <hostname> <key-file> --host --token <token>

Hope this helps!

[hallvoren]

Hmm. My worry was mostly about not leaving a password that could be used by anyone to sign new hosts all over the place. Then an attacker could set up a server we per definition trust since it is signed by our CA. I would prefer that password to stay in as few places as possible. Of course my ansible script to actually create new VMs need access, but preferably little else.