confusion over SSH provisioning vs. renewal

[mmguero]

Hi, I'm hoping for a little bit of clarification on how to issue SSH certificates and then renew them with sshpop.

background info:

• step client version Smallstep CLI/0.15.16 (linux/amd64)
• step server version Smallstep CLI/0.15.16 (linux/arm) in docker
• the provisioners section in ca.json contains
  • one JWK provisioner with "enableSSHCA": true
  • one sshpop provisioner with "enableSSHCA": true
  • one ACME provisioner (although that's for TLS and is not relevant to this discussion)
• on the server, ./step/certs contains intermediate_ca.crt, root_ca.crt, ssh_host_ca_key.pub and ssh_user_ca_key.pub

I mostly went through the examples at If you’re not using SSH certificates you’re doing SSH wrong and at step ssh certificate and at DIY Single Sign-On for SSH, although I am using JWK instead of OIDC.

I've got it set up so that I'm able to SSH from one client into another using the id_ecdsa_pi I've generated thanks to the TrustedUserCAKeys value in sshd_config.

The issue comes when I try to renew:

$ STEPDEBUG=1 step ssh renew id_ecdsa-cert.pub id_ecdsa
✔ Provisioner: sshpop (SSHPOP)
Please enter the password to decrypt id_ecdsa: **********
✔ CA: https://step.xxxxxxx.xxx:9000
The request could not be completed; malformed or missing data. Please see the certificate authority logs for more info.

The request could not be completed; malformed or missing data. Please see the certificate authority logs for more info.

Okay, so I look at the logs on the certificate authority and find this error message:

error="authority.Authorize: authority.authorizeSSHRenew: sshpop.AuthorizeSSHRenew; sshpop certificate must be a host ssh certificate"

I don't know what that means. I provisioned the certificate originally like this:

step ssh certificate --provisioner=jwk username@hostname id_ecdsa

which worked correctly. I thought, "well, maybe I needed to provision it using sshpop?" but when trying that:

step ssh certificate --provisioner=sshpop username@hostname id_ecdsa
✔ Provisioner: sshpop (SSHPOP)
provisioner type 'SSHPOP' requires the '--sshpop-cert' flag

And I can't find much as to if this is the right way to do it, and, if so, what is sshpop-cert.

Can anyone help me out? Am I provisioning wrong? Am I renewing wrong? Am I missing some other piece?

[mmguero]

Okay, so maybe I'm just misunderstanding what I need to renew. I tried (as root) to renew my host certificate (because "certificate must be a host ssh certificate") and it worked:

/etc/ssh# step ssh renew ssh_host_ecdsa_key-cert.pub ssh_host_ecdsa_key
✔ Provisioner: sshpop (SSHPOP)
✔ CA: https://step.xxxxxx.xxx:9000
✔ Would you like to overwrite ssh_host_ecdsa_key-cert.pub [y/n]: y
✔ Certificate: ssh_host_ecdsa_key-cert.pub

So that makes sense. But what about renewing user certificates? Is that not something that needs to be done?

[maraino]

Hi @mmguero, we haven't implemented the renewal of user certificates. We think users should log in again to get a new certificate. Ideally, users should use an OIDC provisioner and do the auth flow with it.

[tashian]

Yeah, step ssh renew is the way to go. Looks like you got it!
Now you just need to make sure that renewal command runs when the host cert is about 2/3 of the way through its lifetime.

For user certificates, the typical flow is to issue a new short-lived user cert whenever you need to SSH. No renewal needed.