Allow duplicate step ssh config --set keys

[lungj]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I'm adding smallstep to a preexisting environment. Some ssh users have ed25519 fingerprints for servers, others have ecdsa fingerprints, and some ssh clients (embedded systems) only support rsa.

When using step ssh config --set Certificate=... --set Key=..., the ssh server is reconfigured to only serve one certificate via one key type. If the key type doesn't match the fingerprint in users' known_hosts file, they get a MITM warning -- or, if it's an unsupported key type, they can't log in.

Why is this needed?

It eases transitions for users and provides backwards compatibility.

Implementation notes

If multiple Certificate and Key keys can be set in step, sshd_config can do most of the rest of the work since it allows multiple HostCertificate and HostKey lines, e.g.,

Match all
	TrustedUserCAKeys /etc/ssh/ca.pub
	HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
	HostKey /etc/ssh/ssh_host_ed25519_key
	HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
	HostKey /etc/ssh/ssh_host_ecdsa_key

The ssh clients can then fall back as necessary.

[maraino]

Hi @lungj, when you initialize a CA with step ca init --ssh you can edit the templates that the CA will use:

$ cat templates/ssh/sshd_config.tpl
Match all
	TrustedUserCAKeys /etc/ssh/ca.pub
	HostCertificate /etc/ssh/{{.User.Certificate}}
	HostKey /etc/ssh/{{.User.Key}}%

You can adjust this to your needs.

[maraino]

Hi @lungj, I'm going to close this issue, as you can update the template. Feel free to reopen if this doesn't solve your issue.