cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago • verified publisher icon smallstep

Add a basic `step ssh verify` command

Open hslatman opened this issue 2 years ago • 1 comments

This PR adds verify as an ssh subcommand. It verifies an SSH certificate using the ssh.CertChecker struct with basic options applied. Example output:

# failure with wrong CA key:
step ssh verify example-cert.pub wrong_ca_key.pub
ssh certificate signed by "SHA256:AXEctpST7/1MfakrLrE+xrtF8Eixh6YsmqNaxiN6AFI" does not equal ssh CA "SHA256:ezEEbt1V5MzJctHhrfk4ftfQMgOvPL51KaU/9MLouUo"
exit status 1

# success: 
step ssh verify example-cert.pub ca_key.pub

Some potential things to add/change:

  • make CA key optional? verify would not check the signer key if not provided.
  • allow multiple CA keys?
  • add additional verification, such as revocation check?

hslatman avatar Jan 19 '23 14:01 hslatman

One additional suggestion for this command: ability to add an optional --principal or --principals-file option that would check the principals in the certificate against an expected principal or a list of principals in a file (assuming the same format as the file that the AuthorizedPrincipalsFile directive supports within sshd)

weaversam8 avatar Jan 19 '23 14:01 weaversam8