cli
cli copied to clipboard
smallstep
Subcommand to fetch SSH root without configuring OpenSSH
We should have a subcommand that grabs the SSH client / host cert from the CA (using the fingerprint) without doing the OpenSSH configuration stuff. This would be useful if people want to manage that configuration themselves. It's also consistent with our X.509 stuff, where we have step ca root and step ca bootstrap.
@mmalone: we already have:
step ssh config --rootsto get the public key used to sign user certificates.step ssh config --roots --hostto get the public key used to sign host certificates.
We can change these commands to something like step ssh root and step ssh root --host or something similar. What do you think?
Nice! I didn't realize that. Let's leave it as is for the moment and make sure we get it documented. If people still aren't finding this option we might want to move it to a subcommand. This feature request came from someone using our last release, so they didn't have step ssh config. This is probably sufficient.
The only other reason to consider a separate subcommand is for consistency with the step ca command group. But the step ssh command group already has a bunch of inconsistencies (intentionally, since the API is designed to make sense from the perspective of an SSH user vs. the perspective of an X.509 PKI participant). Shrug.
I think it still makes sense to create a separate command for this. We should also keep the current functionality.
We can change these commands to something like step ssh root and step ssh root --host or something similar. What do you think?
I think from the user perspective it would be nice to have consistency with the step ca root command. Since there's multiple roots that are not part of a chain something like step ssh root would display an error saying a parameter is needed, i.e. step ssh root --user or step ssh root --host. This would allow consistency for scripts that wrap step-cli.
