cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Allow `step ssh proxycommand` to fall through to standard SSH auth

Open DjLogozzo opened this issue 3 years ago • 4 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When attempting to SSH into a server that has been setup for SSH Certificate Authentication, with a client that has been setup for SSH Certificate Authentication (ie: step ssh config), it no longer becomes possible to login to accounts not in your principal, eg: break-glass accounts, using the hostname.

We are currently able to bypass this issue by directly using the IP of the server when running the SSH command, as this does not trigger the step ssh check-host command in the default SSH config template, but this feels like a hacky workaround.

A better solution would be to allow step ssh proxycommand to fallthrough to basic SSH auth if the user is not in the principal of the certificate. Possibly as an argument that can be embedded in the config template so it is not default behaviour.

Why is this needed?

It would allow users to login to break-glass, shared, or external auth (ie: LDAP) accounts without resorting to tricks to get around the step ssh check-host check.

I haven't tested this usecase, but I also believe it would be useful for scenarios where the CA is down, but the user still needs to login to the server (possibly to fix the issue of the CA being down lol)

Info about our setup

We currently have our servers setup for SSO using smallstep CA with Azure as the OpenID provider (following this guide).

DjLogozzo avatar Sep 16 '22 07:09 DjLogozzo

Hey @DjLogozzo 👋 . Apologies for the radio silence. We agree that this would be a useful feature and we've added it the next milestone. We don't have an exact date for that yet, but we generally release a new tag (milestone) about once every 1 or 2 months.

Thanks for taking the time to open the issue! Cheers 🍻

dopey avatar Oct 05 '22 05:10 dopey

This would be very helpful for us as well- trying multiple identities in the agent is the default behavior if you just use step ssh login, so it makes sense that proxycommand should support it as well...

weaversam8 avatar Jan 03 '23 23:01 weaversam8

@DjLogozzo As a temporary workaround, a configuration like this works quite well!

Match exec "step ssh check-host %h
    # ...
    ProxyCommand bash -c "step ssh proxycommand %r %h %p --provisioner 'Provisioner Name' || nc %h %p"

This falls back to what's essentially a "no-op" ProxyCommand if step ssh proxycommand fails for any reason. I figured out this trick from @jpverkamp's blog, so thanks very much JP!

weaversam8 avatar Jan 05 '23 15:01 weaversam8

Yay! 🎉 I'm glad it helped!

jpverkamp avatar Jan 06 '23 16:01 jpverkamp