core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Add support for SSH Certificates

Open hbradleyiii opened this issue 3 years ago • 1 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

As far as I can tell, it doesn't appear that opnsense provides the ability to use custom SSH keys that are signed with SSH certificates. (see here on SSH certificates)

Specifically, I would like to be able to add something like this to the sshd_config (and also remove the existing HostKey entries):

HostKey /custom/dir/ssh_host_ed25519_key
HostKey /custom/dir/ssh_host_rsa_key
HostCertificate /custom/dir/ssh_host_ed25519_key-cert.pub
HostCertificate /custom/dir/ssh_host_rsa_key-cert.pub
TrustedUserCAKeys /custom/dir/trusted-user-ca-keys.pem

Describe the solution you like

What would be really nice is some way to change or hook into the sshd_config before it is written. I'm not familiar enough with opnsense to know if/how this problem is solved with other configuration files, but, ideally, it would be consistent with that method.

Describe alternatives you considered

Another possibility would be to put the keys and certificates in /conf/ssh/ and assume a specific format (i.e. ``*-cert.pubfor certificates) and automatically add theHostCertificateline if that file exists in/conf/ssh/. This doesn't solve the problem of removing unwanted HostKeyentries (as removed keys appear to be automatically regenerated) or addingTrustedUserCAKeys`.

Additional context

I'm happy to contribute, but I would like input on a good solution before doing anything.

Thanks!

hbradleyiii avatar Sep 05 '22 16:09 hbradleyiii

hi @hbradleyiii

TrustedUserCAKeys support is likely the easier part, HostCertificate a bit harder, HostKey removal not really in the scope here as while it's unnecessary for this setup type it's also unnecessary to tackle it in this scope to begin with as it doesn't interfere.

All of this should go to the GUI as we don't support pluggable SSH server configuration.

Cheers, Franco

fichtner avatar Sep 08 '22 12:09 fichtner

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Mar 04 '23 16:03 OPNsense-bot