smallstep
Ability to skip Include directive and add smallstep config directly to ~/.ssh/config
What would you like to be added
Currently smallstep adds
Host *
Include /path/to/smallstep/config
I would like a flag which rather does
Host *
<Smallstep config here>
Match exec "/usr/local/bin/step ssh check-host %h"
...
Why this is needed
We use IntelliJ IDEs which connect to dev servers, and IntelliJ uses sshJ which does not support the Include directive.
Great suggestion! Seems like we should definitely make this an option. We'll have to prioritize for one of our next sprints.
Hey @jhult only bad news, which is to say, no movement. If anything we've made this worse by adding another include indirection into that flow.
I'll add this back to our triage so we can re-discuss it (fell off our map), but my gut feeling is that this will be kinda challenging / involved to special case. With the relatively recent introduction of contexts there is the possibility to have multiple match exec ... blocks. Managing those in one file is troublesome and it's the reason we've chose to use includes.
@jhult we had a chance to talk about this today, and unfortunately, this is going to be difficult for us to support "natively".
There are two workarounds that we can think of:
- You can define your own template for ~/.ssh/config in the CA configuration. -- Or
- You can manage the ~/.ssh/config file using existing configuration mgmt solutions.
If it were me, I'd probably do 2), but lmk if you'd like more info about replacing the default template.
p.s. Templates attribute in the CA config: https://github.com/smallstep/certificates/blob/808f039b0993e047bff9302d42bb03bcc15e92ad/authority/config/config.go#L66