cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Add Filter for Provisioners List on `step ssh login`

Open mitchellkingsley opened this issue 3 years ago • 4 comments

What would you like to be added

A configuration option for provisioners which will hide them from the provisioners list when the step ssh login command is used.

Why this is needed

When using multiple provisioners, the selection list when using step ssh login can become cluttered with provisioners that:

  • You may not want users to see
  • Are not useful to a user.

In the example below SSHPOP, host-registration, and devops-concourse are not useful for authorizing a user's CSR. Cleaning up this list to only include the relevant/desired items would improve clarity for the end user.

image

mitchellkingsley avatar Feb 16 '22 21:02 mitchellkingsley

It makes sense to remove SSHPOP or Azure as they are only used for hosts. Currently, the only filter we have is the --provisioner flag.

If you're always using the same provisioner there's some helpful tricks:

  1. Define environment variable STEP_PROVISIONER=devops-user
  2. Alternatively define "provisioner": "devops-user" in $(step path)/defaults.json

If you use contexts I think you can also use profiles to that (@dopey should have more details).

maraino avatar Feb 16 '22 21:02 maraino

The environment variable tip will be useful for users who only deal with the single provisioner. Will let that subset of people know about it!

However, as mentioned, the SSHPOP, Azure, and (in my specific use case) JWK provisioners will never be selected by a human.

Let me know if I can provide any other info.

mitchellkingsley avatar Feb 17 '22 22:02 mitchellkingsley

  • from triage: "this list should only contain provisioners that can create SSH user certs".
  • return in the provisioner API response whether the provisioner is able to create SSH user certs
  • we should have fine grained configuration on provisioner to only allow host or user SSH certs

dopey avatar Feb 23 '22 18:02 dopey

Following up here: by default, we think this should be a "can this provisioner generate SSH certs" filter. That's a configuration on the provisioner that is part of the CA configuration.

The problem is that this may still be too coarse. You may have certain provisioners that only generate host SSH certificates. But they will still be returned as part of the "ssh enabled provisioners list" to the step ssh login command which is currently only for users. So, we probably want more fine grained configurability on provisioners with regards to SSH. That configurability does not exist, but we're hoping it will in the future.

With regard to timing on "filtering the list to only SSH enabled provisioners" I can't make any promises. But we'd be happy to work with someone from the community if anyone is interested in tackling this one.

dopey avatar Feb 24 '22 23:02 dopey