Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a basic step ssh verify command #832

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented Jan 19, 2023

This PR adds verify as an ssh subcommand. It verifies an SSH certificate using the ssh.CertChecker struct with basic options applied. Example output:

# failure with wrong CA key:
step ssh verify example-cert.pub wrong_ca_key.pub
ssh certificate signed by "SHA256:AXEctpST7/1MfakrLrE+xrtF8Eixh6YsmqNaxiN6AFI" does not equal ssh CA "SHA256:ezEEbt1V5MzJctHhrfk4ftfQMgOvPL51KaU/9MLouUo"
exit status 1

# success: 
step ssh verify example-cert.pub ca_key.pub

Some potential things to add/change:

  • make CA key optional? verify would not check the signer key if not provided.
  • allow multiple CA keys?
  • add additional verification, such as revocation check?

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Jan 19, 2023
@weaversam8
Copy link

One additional suggestion for this command: ability to add an optional --principal or --principals-file option that would check the principals in the certificate against an expected principal or a list of principals in a file (assuming the same format as the file that the AuthorizedPrincipalsFile directive supports within sshd)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants