gnsi icon indicating copy to clipboard operation
gnsi copied to clipboard
verified publisher icon openconfig

Need clarity on credentialz.proto host certificate rotation

Open dhilipkr opened this issue 2 years ago • 3 comments

The ServerKeysRequest message has auth_artifacts that holds a field for 'certificate'. But there are no fields to know the type of certificate. So while writing this new certificate to the file system, how do we establish the file name ? whether it should be /etc/ssh/ssh_host_rsa_key-cert.pub or /etc/ssh/ssh_host_ecdsa-cert.pub? Is the RPC handler supposed to parse the certificate as in ssh-keygen -L -f and determine the type and do this?

dhilipkr avatar Jul 07 '23 19:07 dhilipkr

Are you proposing that we add to the ServerKeysRequest a key-type, like: (perhaps just require this enum actually) https://github.com/openconfig/gnsi/blob/a43096008ba06570eddbdd64531d775a9b25a4b3/credentialz/credentialz.proto#L628

in order to tell what form key is being sent? (I don't think openconfig itself cares a ton about 8.3 filenames.. eh? but it may be handy to know: "oh this is a widget-form key" for other reasons?)

morrowc avatar Dec 28 '24 19:12 morrowc

I don't think we need this change anymore. I created this during the initial phase of the implementation for handling the ServerKeysRequest. Identified that SSHD config's 'HostCertificate' parameter just needs to point to a file path where the certificate is stored. So it wouldn't matter to know what the key type is for this case.

dhilipkr avatar Jan 07 '25 18:01 dhilipkr

sounds ok to me.

morrowc avatar Jan 08 '25 05:01 morrowc