Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH Certificate Authentication #1002

Closed
bernard-wagner opened this issue Nov 6, 2018 · 3 comments
Closed

SSH Certificate Authentication #1002

bernard-wagner opened this issue Nov 6, 2018 · 3 comments
Assignees
@galal-hussein @rmweir
Labels
kind/enhancement
Milestone
v0.2.0

Comments

@bernard-wagner
Copy link
Contributor

bernard-wagner commented Nov 6, 2018
edited
Loading

Add the ability to use SSH certificates, in addition to SSH keys. This allows team members to manage a cluster without sharing private keys or maintaining a list of authorized_keys. Would also be useful when automating cluster deployment in CI/CD pipeline that uses Vault for secrets management.

Additional background:
https://www.vaultproject.io/docs/secrets/ssh/index.html
https://man.openbsd.org/ssh-keygen.1#CERTIFICATES
https://man.openbsd.org/sshd_config#TrustedUserCAKeys
@bernard-wagner bernard-wagner mentioned this issue Nov 6, 2018
Merged
@bernard-wagner bernard-wagner mentioned this issue Nov 8, 2018
Merged
@alena1108 alena1108 added this to the v0.2.0 milestone Jan 28, 2019
@sangeethah sangeethah removed their assignment Feb 13, 2019
@cjellick
Copy link

@rmweir to validate (work with @galal-hussein to understand the issue)

@rmweir
Copy link
Contributor

rmweir commented Feb 28, 2019
edited
Loading

Validated that RKE now supports SSH certificates.

Steps to validate:

  1. Provision CoreOS vm on Google cloud
  2. On local: ssh-keygen -t rsa -b 4096 -f demo-cert -q -P ""
  3. cat demo-cert.pub
  4. On CoreOS: Create config.yml with following contents OR SKIP TO STEP 6 FOR NON CLOUDCONFIG:
#cloud-config
write_files:
-   content: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvElTIApYLFvue/GYZYVA4ur+3p+1FDE5jfKRpiTTUDm1/mjrUjXBt2fuJ9Lu9Hzje5bpC5nOYmmFxPFhcF98PpltplrQLcWA8uPCDYgrO1IFivmpBQ2Mn4FqRbMtsYMFdI+mcaYvBEvce/d351kjNKR0EOb7+Aww9EooWb+ca53W6p5pEMF1pb2mtne0Y17g/AmxsnButcmhBb6/U1KnNLeZcWdqUYOO8KZYPl7ishYMJXPpJpXl+NPw5uSkfUORwdmxSe05mUX9RQtd+jjGj4dXwRLebY/WcOIQ4vadfv0FiG+FEzNuJBSSjEhSteyvWE5A1Rp6kFkNS7E3RLz7fyFrrpVgF/0v1XIDbjBDuGQoYz5zT8BpQ2mg/50RnaHqVvj9cXPhL8v2EQXeHzHBGamLGy+1KGKAG+UKfzhEmm43Z5l0Pw3eyZbeO3HMKuJC8kQzfF3yMVieIhKExCzZWPsxc/KbenUSXdRkiFNb6/6aZtbG7d5S4Iq2TDdIKm2gvmQ1LkouSKriYVAi7Spzew4t8byWeITHPIg210FkiwiMrO7GwztxLxHZ0OLk1jqxJ+fvWlT0yEGMaNV5bgVS2DHdt6qDFMxOoqQ7QORk0ToQOysn3C667O5FbBj37fcSBzZivK5v5mZkbIBMABbHPz2RjPSfvOgOK8oZqtnG12w== rmweir@Austins-MBP.tempe.rancherlabs.com
    owner: root
    path: /etc/ssh/ssh_trusted_user_ca_keys2
    permissions: '0644'
-   content: UsePrivilegeSeparation sandbox

        Subsystem sftp internal-sftp

        UseDNS no


        PermitRootLogin no

        AllowUsers core

        AuthenticationMethods publickey

        TrustedUserCAKeys /etc/ssh/ssh_trusted_user_ca_keys
    owner: root
    path: /etc/ssh/sshd_config2
  1. On CoresOs, run cloud config: sudo coreos-cloudinit --from-file=config.yml
  2. On CoreOS: Created sshd_config with 0644 access:
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
UseDNS no

PermitRootLogin no
AllowUsers core
AuthenticationMethods publickey
TrustedUserCAKeys /etc/ssh/ssh_trusted_user_ca_keys

  1. On CoreOS, created file /etc/ssh/ssh_trusted_user_ca_keys with content (output from step 3 on one line) with 0644 access:
    ssh-rsa AAAAB3NzaC1yc2EA...

  2. On CoreOs, restart sshd:
    sudo systemctl restart sshd

  3. On local, create new keys:
    ssh-keygen -f test-key -q -P ""

  4. On local, signed key:
    ssh-keygen -s demo-cert -I TEST -n core -V +2h test-key.pub

  5. On local, create cluster.yml with contents:

`
nodes:
  - address: 35.192.208.253
    port: 22
    user: core
    ssh_key_path: ~/.ssh/test-key
    ssh_cert_path: ~/.ssh/test-key-cert.pub
    role: [controlplane,worker,etcd]

ignore_docker_version: true
`

  1. On local (in same folder as clutser.yml), use RKE binary made from master latest:
    rke up

  2. On local (in same folder as last step):
    kubectl --kubeconfig kube_config_cluster.yml get nodes

Results:
Behaved as expected. Properly SSH'd into VM, and created nodes.
image

@cjellick
Copy link

cjellick commented Mar 1, 2019

Validation is good

@cjellick cjellick closed this as completed Mar 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@galal-hussein galal-hussein

@rmweir rmweir

Labels
kind/enhancement
Projects
None yet
Milestone
v0.2.0
Development

No branches or pull requests
6 participants
@alena1108 @cjellick @galal-hussein @bernard-wagner @sangeethah @rmweir